W-XXE-BLIND-OOBLateral Movement

Blind XXE — Out-of-Band Exfil

External DTD with parameter entities exfiltrates file contents via a DNS / HTTP callback.

§ Where this technique fits

W-XXE-BLIND-OOB is catalogued under the Lateral Movement tactic of the offensive-security kill-chain. It appears in 1 approved dossier in the registry, typically at step 2 on average.

§ Dossiers chaining this technique

XXE → SSRF → IMDS → cloud creds
XML parser configured with external entities resolution. Use XXE to make the server hit IMDS and exfiltrate cloud credentials via DTD trickery.
step 2 / 6

§ What commonly comes next

01
XXE → SSRF
W-XXE-SSRF · Lateral Movement
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

XXE → SSRF → IMDS → cloud creds

§ What commonly comes next