XXE Injection — Portswigger Lab2
Lab Challenge:
Solution:
Accessing the lab, we get the following landing page.
Clicking on any product to view detail, we can see the check stock functionality at the end of product description.
Clicking on check stock, it return the stock amount in that store.
Analyzing the request in burp suite, it’s POSTing data using XML.
Sending request to burp repeater, we define DTD (Document Type Definition) which contains an External Entity name pwn which performs SSRF (Server Side Request Forgery) and loads data from specified URL. This url was provided in the challenge description.
Sending the request, we get an endpoint in the response.
Append the found endpoint in the URL and again send request.
Again we get another endpoint. Do the same as above.
Continue appending endpoints in the URL.
Until you get the EC2 instance metadata which contains sensitive info.
Thanks.
