June 18, 2026
Writeup — Exploiting XXE to Perform SSRF Attacks
This lab shows how an XML External Entity (XXE) vulnerability can be used to perform Server-Side Request Forgery (SSRF). Unlike the…
praditya arga
3 min read
This lab shows how an XML External Entity (XXE) vulnerability can be used to perform Server-Side Request Forgery (SSRF). Unlike the previous XXE exploit that was used to read local files on the server, this time the external entity is used to force the server to send a request to an internal address that regular users shouldn't be able to access.
As a first step, I accessed the lab website using the Burp Suite built-in browser. Then, I triggered a POST request by using the "Check stock" feature on one of the products on the page.
Next, I looked at the captured request in Burp Suite under the Proxy > HTTP History tab. Here, it is clear that the application uses the XML format to send data to the server. Since XML is processed by a parser that is vulnerable to XXE, this request immediately became my main target for testing.
I then forwarded this XML request to the Repeater tab. Using Repeater allows me to easily modify the XML structure and test the request multiple times without needing to resend it from the browser every single time.
At the top of the XML document, I added an external entity declaration pointing to this URL:
http://169.254.169.254/http://169.254.169.254/The goal here is to trick the XML parser into making an HTTP request to that address on behalf of the server. If the parser processes the external entity, the server will try to access resources on its own internal network.
After that, I changed the value inside the productId element to match the entity reference I just created.
When the request is processed, the XML parser fetches the content from the specified URL and places it inside the XML element. This way, the server indirectly returns the result of the internal request right back to me in the application's response.
The initial response only showed the names of the directories available on the metadata service. However, this was proof enough that the server successfully accessed the internal address.
So, I started modifying the URL in the external entity to navigate through the directories. Of course, you can't see the full directory path all at once, so I had to do it step by step, adding one directory name at a time. Each successful request gave me a clue about the next directory or resource I could access.
After navigating all the way to the endpoint:
/latest/meta-data/iam/security-credentials/admin/latest/meta-data/iam/security-credentials/adminthe server returned data in JSON format containing IAM credentials. Inside that response, I found highly sensitive information. The lab was successfully completed!
Little Explanation Uhuk!
This lab proves that the impact of XXE is not just limited to reading local files. By pointing an external entity to a specific URL, an attacker can force the server to make requests to internal systems that are otherwise hidden from the internet. This technique is known as Server-Side Request Forgery (SSRF). In this case, SSRF was used to access cloud metadata services and steal sensitive credentials like a SecretAccessKey.