Burp Suite User Forum

Create new post

External service interaction finding masks XXE finding

Bob | Last updated: Nov 08, 2015 02:07PM UTC

Hey folks, Not sure if this would be considered a bug, but I'm running 1.6.30 and have a finding where an XXE payload is being used to tickle the collaborator, but only the latter is reported (External service interaction DNS|HTTP, type id 3146240 and 3146256). There's no finding for the XXE. Thanks Bob

PortSwigger Agent | Last updated: Nov 09, 2015 09:25AM UTC

There are some XML-related payloads for which we only report external service interaction, and not any XXE issue. This is intentional. For example, the payload that injects a schema definition referencing an external URL is reported as external service interaction. This is because this is all that the behavior really amounts to. It's not XXE, because no entity is being defined, and the behavior cannot trivially be leveraged to retrieve file contents in the manner of XXE. So, although we're using an XML-based technique, really the only impact is that we can induce an external service interaction, so that is what gets reported.

Burp User | Last updated: Nov 18, 2015 03:50PM UTC

Ah, thanks Dafydd! I wasn't catching that detail in the report.

Burp User | Last updated: Nov 18, 2015 03:51PM UTC

(a.k.a i wasn't paying attention, lol)

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.