Solving Portswigger Academy: Exploiting XInclude to retrieve files

2 min readSep 25, 2024

This lab has a “Check stock” feature that embeds the user input inside a server-side XML document that is subsequently parsed.
Because you don’t control the entire XML document you can’t define a DTD to launch a classic XXE attack.
To solve the lab, inject an XInclude statement to retrieve the contents of the /etc/passwd file.

Access the lab and click on view details of any product. After that click on check stock.When you check the request you will notice it did not contain XML this time.

Now let’s check if we can change it to XML and it is processed by the server.It did not work.

Let’s change our attack using Xinclude. It looks like the application is looking for productID. Let’s use belpw payload in Product ID.

You will notice our attack is successful.

Let’s remove the parse from above payload to test what happen.So when we remove it we receive error in response.

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Written by Vishal

No responses yet

Write a response

What are your thoughts?

Also publish to my profile

Help
Status
About
Careers
Press
Blog
Privacy
Terms
Text to speech
Teams