Passion
  • What is this GitBook about ?
  • Privilege Escalation
    • Linux
    • Windows
  • Network Security
    • Port Scanning
    • DNS Enumeration
    • FTP Enumeration
    • SSH Enumeration
    • SMB Enumeration
    • SMTP Enumeration
    • POP3 Enumeration
  • Checklists
    • Active Directory Security
    • OS Command Injection
    • Buffer Overflow
    • Broken Access Control
    • Local File Inclusion
    • SSRF
    • XXE Attacks
    • SQL Injection
    • XSS
  • WebApp Security
    • Local File Inclusion
    • File Upload Attacks
      • IIS Server File Upload
      • Escaping Sandbox via File Upload
    • Broken Access Control
      • Vertical PrivEsc
      • Horizontal PrivEsc
      • Horizontal => Vertical
    • OS Command Injection
    • SSTI
      • Finding the Injection Point
      • Indentification
      • Exploitation
    • XXE Attacks
      • XXE to LFI
      • XXE to SSRF
      • XXE via File upload
      • XInclude Attacks
      • Blind XXE Attacks
        • Identification
        • Exploitation
        • Blind XXE to LFI
        • Blind XXE by defining Local DTD
    • SQL Injection
    • Server Side Request Forgery
      • Various Attack Methods
      • Exploiting Blind SSRF
    • OAuth Attacks
      • In Password-Based Logins
    • XSS
      • Reflected XSS
      • Stored XSS
      • DOM XSS
      • Blind XSS
      • Perfecting our Payload
      • Exploiting Blind XSS
  • WebApp Mitigations
    • SSTI
  • Docker Security
    • Configuration
    • Ngnix Deployment
  • ☁️Cloud Security
    • AWS
      • Cloud Breach S3
      • IAM PrivEsc - RollBack
      • IAM PrivEsc - Attachment
Powered by GitBook
On this page
  1. WebApp Security
  2. XXE Attacks

XXE to SSRF

PreviousXXE to LFINextXXE via File upload

Last updated 2 years ago

Apart from getting juicy information, we can even perform SSRF attack. Which is a very serious issue, where the server side application can make HTTP requests to any URL.

Inorder

to do that we'll have to define an external entity, like we did previously but the only difference is we'll have to enter a valid URL to get a pingback

We can test for the internal entity as well, if not then we can define our external

<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "http://internal.vulnerable-website.com/"> ]>

In the above example, the external entity will make the server to send a HTTP request to an internal system within the organization.

Payload - <!DOCTYPE foo [ <!ENTITY xxe SYSTEM "http://169.254.169.254/"> ]>

Asusual, change the productID to &xxe; to trigger our payload and we see something interesting called latest, assuming thats the endpoint and appending it to the DTD and triggering it again.

We get another endpoint called, meta-data. Continuing the same statergy the url looked something like

http://169.254.169.254/latest/meta-data/iam/security-credentials/admin

This finally returned a JSON context containing the SecretAccessKey