In this post, you will see how an XML external entity attack can be exploited to perform a SSRF. The lab can be found in this link (https://portswigger.net/web-security/xxe/lab-exploiting-xxe-to-perform-ssrf).
In the lab description, it was mentioned that the app server is running on AWS’s EC2 instance. To retrieve metadata about the server, you will need to inject an external entity to call this url:
The next thing to take note is to notice the XML payload is being posted to the server. Below is the screenshot:
If you try to change the Product ID value to a random string, you can see that the response is showing the random string back. This means that you can inject the metadata to Product ID to retrieve the information.
You will need to inject the below external entity into the XML payload:
The response will return ‘latest’. But what the hell is that? It took me a while to figure out that this is a folder name.
You see now that the URL is ‘http://169.254.169.254/latest’, the value ‘metadata’ is returned.
Eventually, when you keep appending the folder name to the URL, you will see the AWS EC2 metadata.