Lab: Exploiting XXE to retrieve data by repurposing a local DTD
- Maryam Ziaee
- Oct 13
- 1 min read
This lab has a "Check stock" feature that parses XML input but does not display the result.
To solve the lab, trigger an error message containing the contents of the /etc/passwd file.
You'll need to reference an existing DTD file on the server and redefine an entity from it.
Visit a product page, click "Check stock", and intercept the resulting POST request in Burp Suite.
Comments