In this video, we cover Lab #1 in the XXE Injection module of the Web Security Academy. This lab has a "Check stock" feature that parses XML input and returns any unexpected values in the response. To solve the lab, we inject an XML external entity to retrieve the contents of the /etc/passwd file.

▬ 🔗 Links 🔗 ▬▬▬▬▬▬▬▬▬▬

Python script: https://github.com/rkhal101/Web-Security-Academy-Series/blob/main/xxe-injection/lab-01/xxe-injection-lab-01.py

Notes.txt document: https://github.com/rkhal101/Web-Security-Academy-Series/blob/main/xxe-injection/lab-01/notes.txt

Web Security Academy Exercise Link: https://portswigger.net/web-security/xxe/lab-exploiting-xxe-to-retrieve-files

Rana's Twitter account: https://twitter.com/rana__khalil