PortSwigger Web-Security Write-Up Lab: Exploiting XXE to perform SSRF attacks

— — — — — — — — — — — — — — Solving The Lab — — — — — — — — — — — — — — —

Description: The first step is to open the lab that will be accessed via Burp Suite.

Description: Scroll down to see a wide selection of items.

Description: Select one to check its stock. Click 'Check Stock'

Description: Open the Burp Suite page, then go to the Proxy tab and the HTTP History sub-tab. Click on the row that says POST /product/stock to view the XML data structure. Then right-click on that row and click 'Send to Repeater'

Description: Go to the 'Repeater' tab to view the details of the data structure.

Description: Look in the Request section and add a line of exploit code right below, between the lines "<?xml…" and "". Then replace the number "1"located directly below "" on the first line with "&xxe"

Next, click the 'Send' button and look at the line that appears in the 'Response' section. The response will provide the next clue, which is "latest"

Description: Update the URL by adding the keyword mentioned earlier. Click send, the response will provide the next clue, which is "meta-data"

Description: Update the URL again by adding the keyword mentioned earlier. Click send, the response will provide the next clue, which is "iam".

Description: Update the URL again by adding the keyword mentioned earlier. Click send, the response will provide the next clue, which is "security-credentials"

Description: Update the URL again by adding the keyword mentioned earlier. Click send, the response will provide the next clue, which is "admin"

Description: Update the URL again by adding the keyword mentioned earlier. Click send, here! the response will display confidential data.

Description: Go back to the stock check page, an orange banner will appear that says "Congratulations, you solved the lab!"

Thank You!