XXE Injection — Portswigger Lab 1

Lab Challenge:

Solution:

Accessing the lab, we get the following landing page.

Clicking on any product to view detail, we can see the check stock functionality at the end of product description.

Clicking on check stock, it return the stock amount in that store.

Analyzing the request in burp suite, it’s POSTing data using XML.

Sending request to burp repeater, we define DTD (Document Type Definition) which contains an External Entity name pwn which reads data from /etc/passwd file. We access this entity in product id tags.

Sending the request, we get bad request error but it also returns the data of /etc/passwd file.

Thanks.

References:

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
HotPlugin

HotPlugin

Software Engineer into Reverse Engineering and Other things