Introduction

In this article, we will solve the PortSwigger Web Security lab titled “Exploiting XInclude to retrieve files,” which focuses on XML vulnerabilities.

Lab Description Exploiting XInclude to retrieve files

The lab features a “check stock” feature that retrieves user-provided information and inserts it into a document. However, we don’t have control over the entire XML document, preventing us from defining DTDs or launching classic XXE attacks.

To solve the lab, we need to inject an XInclude statement to read the “/etc/passwd” file.

Lab Solution

First, we need to visit the lab and click on the “view details” of any product.

After clicking, we will find a stock check feature.

Click on the stock check button and intercept the request using Burp Suite.

Once intercepted, forward the request to the repeater tab in Burp Suite.

Now, we know that the “productId” parameter is vulnerable to XML injection.

We will inject our payload into the productId value:

<foo xmlns:xi="http://www.w3.org/2001/XInclude"><xi:include parse="text" href="file:///etc/passwd"/></foo>

By inserting this payload into the productId, we can execute the code to read the “/etc/passwd” file. Refresh the page in the browser to check if the lab has been solved.

As you can see, we have successfully solved Lab number 7, “Exploiting XInclude to retrieve files,” which focuses on XML injection. Congratulations!

you can learn everything related to web security on our website. We upload the latest articles on web security topics on a daily basis, so stay with us.

To continue studying check out the next lab i.e. Exploiting XXE Via Image File Upload, cover the current lab before visiting the next lab. Good Luck!