XXE Attack -
- XML External Entities - Overview - Part I
- XML External Entities - Inband - Part II
- XML External Entities - Out of band (HTTP) - Part III
- XML External Entities - Billion Laughter Attack - Part IV
- XML External Entities - SSRF - Part V
- XML External Entities - DNS Resolution - Part VI
Hi guys, I hope you have gone through the previous part of XXE. This post talks about the working of SSRF(Server Side Request Forgery) through XXE attack along with a practical demonstration. Before we get into the attack let us understand about SSRF.
What is Server-Side Request Forgery (SSRF)?
Server-Side Request Forgery (SSRF) is considered slightly unknown attack, and most people confuse how the attack actually works. SSRF vulnerability allows an attacker to craft a request from the back-end server of a vulnerable web application.
Let’s take a moment to understand where the vulnerability resides. It is common for any online application to include external resources for its functioning. For example, to share this post on Twitter, for example, the Twitter server would need to make a request to this page in order to extract all the information it needs, like the images and description. The vulnerability lies in this link expansion and Twitter, too, was vulnerable to SSRF until recently. As I’ve already mentioned, SSRF attacks target internal protected systems that would not be accessible to an attacker through the external network. Additionally, an attacker can also leverage SSRF attack to access services from the victim server itself that is listening on the loopback interface (127.0.0.1).
Perform SSRF through XXE
There is a very simple difference between Out of Band XXE and SSRF through XXE i.e. when the attacker’s server receives a GET/HTTP request from the target server but does not read the file, we call it as SSRF through XXE. An attacker uses the vulnerable server as a medium to perform Denial of Service attack on the actual target. Below is a practical demonstration of the same.
Demo
For demo purpose, we will be using the same application that was used in XML External Entities - Inband - Part II. If you haven’t already set up / downloaded please visit XML External Entities - Inband - Part II for setup.
Step 1: Navigate to http://localhost/xxelab/penlab/ as shown in Exhibit 1.
Exhibit 1
Step 2: Intercept the request using a proxy tool like Burp Suite. Click on Burp → Burp Collaborator Client → Copy to Clipboard as shown in Exhibit 2.
Exhibit 2
Exhibit 2 shows that the burp collaborator receives an HTTP request from the server.
I hope you enjoyed reading this. The next part is the last Part i.e. XML External Entities - DNS Resolution - Part VI. Please like, share and comment.
References
https://www.acunetix.com/blog/articles/server-side-request-forgery-vulnerability/
https://www.winmill.com/News/Security-News/What-is-Server-Side-Request-Forgery-SSRF.aspx