1. Web Security Academy
  2. XXE injection
  3. Lab

Lab: Exploiting XXE using external entities to retrieve files


This lab has a "Check stock" feature that parses XML input and returns any unexpected values in the response.

To solve the lab, inject an XML external entity to retrieve the contents of the /etc/passwd file.

Find XXE vulnerabilities using Burp Suite

The benefits of working through PortSwigger's Web Security Academy

Get started with the Web Security Academy where you can practise exploiting vulnerabilities on realistic targets .. and its free!

Already got an account? Login here