Lab: Exploiting XInclude to retrieve files

This lab has a "Check stock" feature that embeds the user input inside a server-side XML document that is subsequently parsed.

Because you don't control the entire XML document you can't define a DTD to launch a classic XXE attack.

To solve the lab, inject an XInclude statement to retrieve the contents of the /etc/passwd file.

Hint

By default, XInclude will try to parse the included document as XML. Since /etc/passwd isn't valid XML, you will need to add an extra attribute to the XInclude directive to change this behavior.

Access the lab

Solution

Visit a product page, click "Check stock", and intercept the resulting POST request in Burp Suite.

Set the value of the productId parameter to:

Want to track your progress and have a more personalized learning experience? (It's free!)

In this topic

XXE injection XML entities Blind XXE vulnerabilities

All topics

SQL injection XSS CSRF XXE SSRF Request smuggling Command injection Directory traversal