Exploiting XXE to perform SSRF attacks

introduction

So, we have started the PortSwigger web security series in which we are currently working on server-side vulnerabilities. Today, we are exploring the topic of exploiting XXE to perform SSRF attacks. In this lab, we will perform practical step-by-step exploitation of the Exploiting XXE to perform SSRF attacks.

Lab Description For Exploiting XXE to perform SSRF attacks

This lab features a “check stock” feature that parses an XML input value and provides an unexpected output response. The lab server’s default URL is the EC2 metadata endpoint, which can be used to find sensitive data. The lab already provides us with the endpoint, which is http://169.254.169.254/. This lab features a “check stock” feature that parses an XML input value and provides an unexpected output response. The lab server’s default URL is the EC2 metadata endpoint, which can be used to find sensitive data. The lab already provides us with the endpoint, which is http://169.254.169.254/ for Exploiting XXE to perform SSRF attacks.

In order to solve the lab, we have to exploit the XML External Entity vulnerability through an SSRF attack and retrieve the server’s secret access key, which is available on the EC2 metadata endpoint.

Lab Solution

Firstly, access the lab and visit any product. After visiting the product, you will see a “check stock” feature. Intercept the “check stock” feature in Burp Suite and send it to the repeater.

As you can see, after intercepting the request and forwarding it to the repeater, an XML code is available. We will inject our payload into this XML code.

Firstly, we will put our external entity definition between the XML declaration and the stockcheck feature.

Here is the code that you need to upload.

<!DOCTYPE test [ <!ENTITY xxe SYSTEM "http://169.254.169.254/"> ]>

As you can see, we are getting an “invalid product id: latest” error message. We will use “ip” instead of “latest” in the product ID. Also, remember to use “&xxe;” in the product ID.

http://169.254.169.254/latest

When I added /latest with the IP, I found another unique endpoint named http://169.254.169.254/latest/meta-data. Now, I will add it after /latest.

http://169.254.169.254/latest/meta-data

When I put “meta-data” in the URL, I found another endpoint called “iam”. Now, I will explore the “iam” endpoint.

http://169.254.169.254/latest/meta-data/iam

http://169.254.169.254/latest/meta-data/iam

After submitting http://169.254.169.254/latest/meta-data/iam/security-credential, I obtained another endpoint named ‘admin’.

Submitting http://169.254.169.254/latest/meta-data/iam/security-credential/admin resulted in me obtaining secret information.

As you can see, the web browser solved our lab when we visited the response.