1. Web Security Academy
  2. XXE injection
  3. Blind
  4. Lab

Lab: Exploiting XXE to retrieve data by repurposing a local DTD


This lab has a "Check stock" feature that parses XML input but does not display the result.

To solve the lab, trigger an error message containing the contents of the /etc/passwd file.

You'll need to reference an existing DTD file on the server and redefine an entity from it.


Systems using the GNOME desktop environment often have a DTD at /usr/share/yelp/dtd/docbookx.dtd containing an entity called ISOamso.

Find XXE vulnerabilities using Burp Suite

The benefits of working through PortSwigger's Web Security Academy

Get started with the Web Security Academy where you can practise exploiting vulnerabilities on realistic targets .. and its free!

Already got an account? Login here