Lab: Exploiting XInclude to retrieve files

PRACTITIONER

This lab has a "Check stock" feature that embeds the user input inside a server-side XML document that is subsequently parsed.

Because you don't control the entire XML document you can't define a DTD to launch a classic XXE attack.

To solve the lab, inject an XInclude statement to retrieve the contents of the /etc/passwd file.

Hint

By default, XInclude will try to parse the included document as XML. Since /etc/passwd isn't valid XML, you will need to add an extra attribute to the XInclude directive to change this behavior.

Access the lab

Solution

Visit a product page, click "Check stock", and intercept the resulting POST request in Burp Suite.

Set the value of the productId parameter to:

Want to track your progress and have a more personalized learning experience? (It's free!)

In this topic

XXE injection XML entities Blind XXE vulnerabilities

All topics

SQL injection XSS CSRF Clickjacking CORS XXE SSRF Request smuggling Command injection Directory traversal Access control WebSockets