Server Side Request Forgery - A Forged Document
Summary :
Server Side Request Forgery (SSRF) attacks are used to target internal systems that are behind firewalls and are not accessible from the external network. SSRF attacks can be exploited to access internally running services like SSH, Local-Host, FTP, Gopher etc. In a normal SSRF attack, the attacker might cause the server to make a connection to internal-only services within the organization’s infrastructure.
Description :
I have found this server side request forgery vulnerability on a private bugcrowd program. The program was having an option to upload the documents where there was no validation on the uploaded file type. It was allowing all the files to get uploaded. So I simply wrote the payload and saved the file as .html and uploaded it. After some time I got the pingbacks on my burp collaborator server, so I checked the IP address using whois command and it was of the company itself but was different from the IP of my target and was not accessible from the internet. It was a basic SSRF attack where I was able to find the internal IP but was not able to exploit it further. The bug got triaged as P3 and I was rewarded bounty of 500 USD. Later the severity was changed to P4.
How I found this vulnerability ?
- I created an account and after logging in I got the option of uploading the document
2. I started burp collaborator client for generating the payload and copied the payload by clicking on “Copy to clipboard”
3. I created .html file with the code and pasted the copied payload and saved the file
4. I uploaded the .html file on my target website
5. After sometime I got the pingbacks on my burp collaborator client
Why it happened ?
In my opinion,
When I uploaded the .html file to the server, the server read the content of the file and tried to fetch the image from my burp collaborator client using its internal IP which got reflected on my burp collaborator client.
Exploit Code :
<html>
<body>
<img src=http://<BurpCollaboratorURL></img>
</body>
</html>
Then save it as .html and upload it.
Impact :
An attacker can exploit trust relationships to escalate an attack from the vulnerable application and perform unauthorized actions.
Mitigation :
A good way to mitigate ssrf attacks is to whitelist IP address or DNS name that the application needs to access. There is no universal fix to SSRF because it highly depends on the application functionality and business requirements.
In my case the mitigation should be that, that an application should only allow image files like pdf, png, jpeg, tiff etc to upload.
