Lab: Exploiting XInclude to retrieve files

Joel O.Joel O.
2 min read

Lab Scenario: Our mission is to exploit XInclude through a web application's "Check stock" feature. By intercepting and manipulating a POST request, we intend to use XInclude to retrieve files from the server. Let's proceed with the solution:

  1. Intercepting the POST Request:

    • Visit a product page and click "Check stock."

    • Intercept the resulting POST request using Burp Suite.

  2. Manipulating the productId Parameter:

    • Set the value of the productId parameter to exploit XInclude. Use the following payload:

        xmlCopy code<foo xmlns:xi="http://www.w3.org/2001/XInclude"><xi:include parse="text" href="file:///etc/passwd"/></foo>

      This payload uses XInclude to include the contents of the /etc/passwd file.

  3. Sending the Modified Request:

    • Forward the modified request and observe the response from the server.

    • Note that the response contains the contents of the specified file, in this case, /etc/passwd.

  4. Exploiting XInclude for File Retrieval:

    • By utilizing XInclude, we have successfully retrieved the contents of a server file.

  5. Submitting the Solution:

    • Use the appropriate method provided by the lab to submit the solution, confirming the successful retrieval of sensitive information.

Conclusion: This lab exercise provides hands-on experience in exploiting XInclude to retrieve files from a web application. By following this step-by-step guide, users can deepen their understanding of XInclude vulnerabilities and the potential risks associated with improper handling of XML input. Stay informed, keep learning, and continue exploring the dynamic field of cybersecurity to contribute to a more secure online environment.

Reference:

https://portswigger.net/web-security/xxe

https://portswigger.net/web-security/xxe/lab-xinclude-attack

6
Subscribe to my newsletter

Read articles from Joel O. directly inside your inbox. Subscribe to the newsletter, and don't miss out.

xxeBurpsuite portswiggerwebsecurity#cybersecurityhandson

Written by

Joel O.
Joel O.

A passionate cybersecurity enthusiast and cloud aficionado. I am on a mission to unravel the complexities of the ever-evolving cyber landscape and guide you through the vast expanse of cloud technology. As a cybersecurity professional, I bring a wealth of experience in securing digital ecosystems and defending against cyber threats. My journey in the cloud realm has been both thrilling and enlightening, and I am here to share my insights, discoveries, and practical tips with you. In these virtual pages, expect a fusion of in-depth cybersecurity analyses and explorations into the limitless possibilities of cloud computing and cybersecurity. Whether you're a seasoned cybersecurity professional, a cloud enthusiast, or someone just stepping into the digital frontier, there's something here for you.