Solving Portswigger Academy: Blind XXE with out-of-band interaction

Sep 24, 2024

In this lab, we have to exploit the blind SSRF via XXE. This is called blind because we cannot see the application’s response to our payload in http response, but we can cause an out-of-band interaction with the server of our control, like collaborator.

In this lab also the check stock is vulnerable. So I will directly start with the burp’s request and response.

Burp history request and response to check product

Send above request to the repeater and edit the request with the external entity. First I test for normal XXE, but it says Invalid Porduct ID.

Now we can test for the SSRF through XXE using collaborator.Here it still says invalid product ID.

But when I checked in collaborator, it shows DNS and HTTP responses.

Paylod used:

payload

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Written by Vishal

No responses yet

Write a response

What are your thoughts?

Also publish to my profile

Help
Status
About
Careers
Press
Blog
Privacy
Terms
Text to speech
Teams