Exploit XXE to Perform SSRF Attack

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

one of the main impacts of xml external entity attacks is that they can be used to perform server-side request forgery also called ssrf attacks during this video we look at a scenario where an attacker exploit xml external entity injection to deliver ssrf attack and get access to back-end system inside a private network for the purpose of this exercise we use a lab from web security academy and you can find the link to this lab in the video description to solve the lab we need to exploit the xml external entity vulnerability to perform an ssrf attack and obtain the server's im secret access key from the ec2 metadata endpoint all right let's jump in and get started by clicking on access to lab the application homepage contains a list of products we choose one of these products and click on view details at the bottom of the product page we see the check stock function this function allows the application users to check the available items of this product in a particular store first we turn on burp intercept so we can capture http requests then we choose a city from drop down menu and click on check stock looking at the body of the http post request we see the application is using xml for sending data to the application server the first line is used for xml declaration and it contains the xml version and the character encoding we also see two xml elements one of them is for product id and the other one is for store id these elements contain the id of the selected product and store to do some experiment with this http request and to see if it's vulnerable to xml injection we can use burp repeater so let's right click on this request and choose send to repeater now we can turn off burp intercept and go to the repeater let's first send this request without making any changes to the xml document to see the application normal response so in the request tab we click on send the application returns 200 http response code which means the format of the submitted request was as expected and the request contained no missing or invalid data and in the body of the response we get the number of available items for the selected product now we are interested to see what happens if we change the value of the product id element in the http request to an xml external entity to exploit xml external entity injection first we need to define an external entity using the url from which the value of the entity should be loaded then we need to put the entity reference inside an xml element which in this case is the product id element let's take a look at the payload that we can use to deliver ssrf attack in this application the external entity is defined inside the doctype element the entity keyword is used to declare the xml entity following by the name of the entity the system keyword is used to declare this is an external entity so its value should be loaded from the provided url from the lab description we know the ip address of the internal server so we have used that ip address in the url that we want to target so far we have defined the xml external entity and the url from which the value of the entity should be loaded we also need to put the entity reference inside an element inside the xml document as we see we have put the entity reference inside product id element so if the application is vulnerable to xml external entity injection then we should be able to perform ssrf and receive the response from the specified backend system url within the application response alright let's go ahead and check if the application is vulnerable and we can get access to the backend system in the verb repeater we go to the body of the request and add the external entity declaration after the xml declaration then we need to put the entity reference in the product id element now that we have injected our payload we can go ahead and send this request the application returns an error message invalid product id following by the response from the metadata endpoint which seems to be a folder name we copy the folder name and add it to the url in the external entity then send the request we get another folder name we need to repeat the same step until we find the secret access key finally we find the admin url so in the http request we update the url within the external entity and send the request this time the application returns a json object as we see the return json object contains the secret access key so we managed to obtain the server's im secret access key from the ec2 metadata endpoint if we go to the web browser we see the message that we have solved the lab during this video we saw how an attacker could exploit xml external entity injection to perform ssrf attack and get access to the backend systems i hope you enjoyed watching this video and i'll see you in the next videos

Info

Channel: TraceTheCode

Views: 1,532

Rating: undefined out of 5

Keywords:

Id: fTpN0NCOOQI

Channel Id: undefined

Length: 5min 36sec (336 seconds)

Published: Thu May 12 2022