Introduction
In this article, we will solve the PortSwigger Web Security lab titled “Exploiting XInclude to retrieve files,” which focuses on XML vulnerabilities.
Lab Description Exploiting XInclude to retrieve files
The lab features a “check stock” feature that retrieves user-provided information and inserts it into a document. However, we don’t have control over the entire XML document, preventing us from defining DTDs or launching classic XXE attacks.
To solve the lab, we need to inject an XInclude statement to read the “/etc/passwd” file.
Lab Solution
First, we need to visit the lab and click on the “view details” of any product.
After clicking, we will find a stock check feature.
Click on the stock check button and intercept the request using Burp Suite.
Once intercepted, forward the request to the repeater tab in Burp Suite.
Now, we know that the “productId” parameter is vulnerable to XML injection.
We will inject our payload into the productId value:
<foo xmlns:xi="http://www.w3.org/2001/XInclude"><xi:include parse="text" href="file:///etc/passwd"/></foo>
By inserting this payload into the productId, we can execute the code to read the “/etc/passwd” file. Refresh the page in the browser to check if the lab has been solved.
As you can see, we have successfully solved Lab number 7, “Exploiting XInclude to retrieve files,” which focuses on XML injection. Congratulations!
you can learn everything related to web security on our website. We upload the latest articles on web security topics on a daily basis, so stay with us.
Website security refers to protecting a website or web application from cyberattacks, unauthorized access, or other security threats.
Web application security means protecting a website from cyberattacks. These attacks may include vulnerabilities such as SQL injection, XSS, file inclusion, and others.
It is always a good practice to use an up-to-date browser with timely updates. Keep your browser plugins up-to-date, avoid malicious websites and links, and always enable 2-factor authentication while avoiding clickjacking.
Searching for someone’s social security number or credit card information on the dark web is illegal and unethical. It is important to always avoid such activities and protect yourself and others from cyber threats.