Solving Portswigger Academy: Exploiting XXE to perform SSRF attacks

In this lab we need to exploit SSRF using XXE and retrieve the IMA secret access key.

When you access the lab, you will see the page where multiple products are shown. Click on view details of any product.Now click on Check Stock option and revisit the same request in burp history.

Check Stock Response and Request

Now we need to test it for SSRF via XXE. For that I will use the below payload and burp’s collaborator.

XXE payload

I will first check it in ProductId.

Complete payload

Request and Response

And we can see the HTTP and DNS requests in burp Collaborator.

Burp Collaborator

This confirms it is possible to perform SSRF via XXE. Now we need to find the secret access key via SSRF. For payload I used Payload All the things

If you are not sure which one to use, in lab just send request to the URL http://192.254.169.254 it will tell you all the URI one by one. The final payload becomes like this

final payload

Below is the complete request and its response.

SSRF request and response

The lab is solved as we are able to retrieve the required details.