Lab: Exploiting XInclude to retrieve files
This lab has a "Check stock" feature that embeds the user input inside a server-side XML document that is subsequently parsed.
Because you don't control the entire XML document you can't define a DTD to launch a classic XXE attack.
To solve the lab, inject an
XInclude statement to retrieve the contents of the
XInclude will try to parse the included document as XML. Since
/etc/passwd isn't valid XML, you will need to add an extra attribute to the
XInclude directive to change this behavior.
Visit a product page, click "Check stock", and intercept the resulting POST request in Burp Suite.
Set the value of the
productId parameter to:
<foo xmlns:xi="http://www.w3.org/2001/XInclude"><xi:include parse="text" href="file:///etc/passwd"/></foo>