Lab link.
This lab has a “Check stock” feature that parses XML input, but does not display any unexpected values, and blocks requests containing regular external entities.
To solve the lab, use a parameter entity to make the XML parser issue a DNS lookup and HTTP request to Burp Collaborator.
In the lab, we first test XML Entity. For this, we try the POST request that causes the Chech Stock operation.
We add a reference and get an error. “Entities are not allowed for security reasons“
Sometimes XXE attacks using regular entities are blocked due to precautions taken by the application. In this case, XML parameter entities should be used. Appropriate changes are made in the entity definition.
