1. Web Security Academy
  2. XXE injection
  3. Lab

Lab: Exploiting XInclude to retrieve files


This lab has a "Check stock" feature that embeds the user input inside a server-side XML document that is subsequently parsed.

Because you don't control the entire XML document you can't define a DTD to launch a classic XXE attack.

To solve the lab, inject an XInclude statement to retrieve the contents of the /etc/passwd file.


By default, XInclude will try to parse the included document as XML. Since /etc/passwd isn't valid XML, you will need to add an extra attribute to the XInclude directive to change this behavior.

Try Burp Suite for Free

Find XXE vulnerabilities using Burp Suite

Try for free