Exploiting XXE for SSRF

Retrieving IAM credentials of EC2 instance using xxe and ssrf

Server-Side Request Forgery (SSRF):- SSRF is an attack in which an attacker can force a vulnerable server to trigger malicious requests to third-party servers and or to internal resources.

For more on SSRF and its exploitation check my previous blog:

https://medium.com/bugbountywriteup/exploiting-ssrf-for-admin-access-31c30457cc44

XML External Entity (XXE): An XML External Entity attack is a type of attack against an application that parses XML input. It often allows an attacker to view files on the application server file system, to interact with any backend or external systems that the application itself can access and it can be escalated to RCE as well.

For more on XXE check my previous blog:

https://medium.com/@gupta.bless/exploitation-xml-external-entity-xxe-1f5f3e7bc5c4

How to escalate XXE vulnerability to perform SSRF execution?

Exploiting this helps an attacker to access local infrastructure or internal network bypassing the WAF which can lead to sensitive information disclosure.

In order to utilize SSRF through the escalation of the XXE, the XML entity must be identified by the URL that we want to target and use the value of the data with defined entity. By using a given entity in data value i.e. returned in application’s response. Then we can able to view the response from the URL within the application response.

<!DOCTYPE foo [ <!ENTITY id SYSTEM "http://localhost.com/"> ]>

In this XXE payload, “id” which is an external entity and make a HTTP back connect to access the internal infrastructure.

Exploitation:

We have a server which is vulnerable to XXE, the server provides access to internal network. The webserver is running an AWS metadata endpoint on its default URL. We need to have to fetch the IAM secret access key from the EC2 metadata endpoint.

Let’s suppose the vulnerable EC2 instance is located at this IP Address http://192.168.1.220.

The below request denotes that the application is using XML.

In the response, we saw that the xml is getting parsed so there may be a possibility of XXE. So to dig more I passed random string “blog” in XML payload. So, whenever I have changed the random string in XXE payload, that string got reflected in the response. That the application is vulnerable to XXE.

As we know that the application is vulnerable to XXE. I injected external entity into basic xxe payload.

<?xml version=”1.0" encoding=”UTF-8"?>
<!DOCTYPE foo [ <!ENTITY id SYSTEM “file:///etc/passwd”> ]>
<product><productId>&id;</productId></product>

Here id contain value of /etc/passwd file that defines external entity and uses the entity with in productId value. We manipulated above xxe payload according to application and used file schema so it can fetch the contents of /etc/passwd file.

After submitting the request.

Lets try to use Burp Collaborator to verify SSRF. Copy the payload to clipboard and then use that url inside this payload

<!DOCTYPE foo [<!ENTITY ssrf SYSTEM “<Burp Collaborator Client >”> ]>

Okay I have got a request in burp collaborator it means that this is vulnerable to SSRF. Now lets try to fetch the metadata information from that url.

The default path of the metadata is “/latest/meta-data/iam/security-credentials/”

Append this with the IP address provided and then send the request. IT will fetch the secret access keys, as shown below.

Remediation

· Disable Document type definition (DTD).If it is not possible to disable DTDs completely, then external entities and external document type declarations must be disabled in the way that’s specific to each parser.

· Implement white listing policy for hostile XMS data, So that these data can be easily bypassed.

· Validate file uploads vulnerability from where we can upload xml data.

· Try to use updated version of XML processors so that there are less chance of bypass.