Exploiting XInclude to retrieve files


In this article, we will solve the PortSwigger Web Security lab titled “Exploiting XInclude to retrieve files,” which focuses on XML vulnerabilities.

Lab Description Exploiting XInclude to retrieve files

Exploiting XInclude to retrieve files

The lab features a “check stock” feature that retrieves user-provided information and inserts it into a document. However, we don’t have control over the entire XML document, preventing us from defining DTDs or launching classic XXE attacks.

To solve the lab, we need to inject an XInclude statement to read the “/etc/passwd” file.

Lab Solution

Exploiting XInclude to retrieve files

First, we need to visit the lab and click on the “view details” of any product.

After clicking, we will find a stock check feature.

Exploiting XInclude to retrieve files

Click on the stock check button and intercept the request using Burp Suite.

Once intercepted, forward the request to the repeater tab in Burp Suite.

Now, we know that the “productId” parameter is vulnerable to XML injection.

We will inject our payload into the productId value:

<foo xmlns:xi="http://www.w3.org/2001/XInclude"><xi:include parse="text" href="file:///etc/passwd"/></foo>
Exploiting XInclude to retrieve files

By inserting this payload into the productId, we can execute the code to read the “/etc/passwd” file. Refresh the page in the browser to check if the lab has been solved.

Exploiting XInclude to retrieve files

As you can see, we have successfully solved Lab number 7, “Exploiting XInclude to retrieve files,” which focuses on XML injection. Congratulations!

you can learn everything related to web security on our website. We upload the latest articles on web security topics on a daily basis, so stay with us.

What is web security?

Website security refers to protecting a website or web application from cyberattacks, unauthorized access, or other security threats.

What is web application security?

Web application security means protecting a website from cyberattacks. These attacks may include vulnerabilities such as SQL injection, XSS, file inclusion, and others.

Which of the following is a good security practice for web browsing?

It is always a good practice to use an up-to-date browser with timely updates. Keep your browser plugins up-to-date, avoid malicious websites and links, and always enable 2-factor authentication while avoiding clickjacking.

How to find someone’s social security number on the dark web

Searching for someone’s social security number or credit card information on the dark web is illegal and unethical. It is important to always avoid such activities and protect yourself and others from cyber threats.

Leave a Comment