Skip to content

Lab Write-up: Exploiting XXE to perform SSRF attacks

Views: 45

In this post, you will see how an XML external entity attack can be exploited to perform a SSRF. The lab can be found in this link (https://portswigger.net/web-security/xxe/lab-exploiting-xxe-to-perform-ssrf).

In the lab description, it was mentioned that the app server is running on AWS’s EC2 instance. To retrieve metadata about the server, you will need to inject an external entity to call this url:
http://169.254.169.254/

The next thing to take note is to notice the XML payload is being posted to the server. Below is the screenshot:

If you try to change the Product ID value to a random string, you can see that the response is showing the random string back. This means that you can inject the metadata to Product ID to retrieve the information.

Notice when we change to product ID to ‘testing123’, the value will be reflected back.

You will need to inject the below external entity into the XML payload:

The response will return ‘latest’. But what the hell is that? It took me a while to figure out that this is a folder name.

You see now that the URL is ‘http://169.254.169.254/latest’, the value ‘metadata’ is returned.

Eventually, when you keep appending the folder name to the URL, you will see the AWS EC2 metadata.


Published inWalkthroughWeb Security

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *