JESS' SECURITY QUEST
OWASP TOP 10 View Guide
Medium 200 Points XXE to SSRF - Internal Network Access
Challenge Description

This XML parser can be exploited not just to read files, but also to make HTTP requests to internal services. Use XXE to perform Server-Side Request Forgery (SSRF) and access internal APIs, cloud metadata, and private services.

Objective: Use XXE to access internal services and retrieve the flag from an internal API. The flag format is FLAG{...}
XML Parser
Example SSRF Payloads
Discoverable Internal Services

The server has access to these internal services (simulate common enterprise network):

  • http://localhost:8080 - Internal admin panel
  • http://192.168.1.100:8080 - Internal API server
  • http://169.254.169.254/latest/meta-data/ - AWS IMDS
  • http://10.0.0.50:8000 - Metadata service
  • http://consul.service.consul:8500 - Consul agent
Submit Flag
Hints -10% per hint
Hints revealed: 0 / 5
Score penalty: 0%
Cloud Metadata Endpoints

AWS IMDS v1:

http://169.254.169.254/latest/meta-data/

AWS IAM Credentials:

.../iam/security-credentials/<role>

GCP Metadata:

http://metadata.google.internal/...

Azure IMDS:

http://169.254.169.254/metadata/...
Internal IP Ranges
  • 127.0.0.1 - Localhost
  • 10.0.0.0/8 - Private Class A
  • 172.16.0.0/12 - Private Class B
  • 192.168.0.0/16 - Private Class C
  • 169.254.0.0/16 - Link-local (metadata)
Learning Resources
An error has occurred. This application may no longer respond until reloaded. Reload Dismiss