Hi everyone, I am socalledhacker, i am a security researcher , penetration tester, certified ethical hacker and a web3 noob. In past months, I have discover lots of bugs but in today’s article we are going to discuss about Server-Side Request Forgery (SSRF) allows internal ports scanning, which i discover recently so without further delay let’s start….
Server-Side Request Forgery (SSRF) allows internal ports scanning
Recently I was hunting on a large wide scope program and i found an interesting server side request forgery bug in form field and then i escalate it to make it’s bigger impact, so let’s dive into how i found this bug and how you can try to find this similar issue on other applications.
Let’s say the program name is example.com and there is a subdomain like helpdesk.example.com in this subdomain user can submit their queries by filling a form, I thought that there is a possibility of SSRF there. So, i fire up my burpsuite and put my collaborator URL in first, last name, subject, description and also insert collaborator URL in description insert link section, and submit the form.
Surprisingly, multiple HTTP request hit to my collaborator so at the point SSRF is confirmed but it’s a P4, as there is not much impact of it, then i was curious that which field of the form is vulnerable to SSRF, so i put collaborator link in this format like collab.link.ostify.com/name, collab.link.ostify.com/subject, collab.link.ostify.com/description etc. and i found that subject field is vulnerable to SSRF.
But there is a problem in this, as the form is using HTTP Post request method so in this case data exfiltration is difficult because in post based request there is no data comes form server. So i tried port scanning and i got success in this when i hit multiple close ports i got DNS queries which i later found out that when a port is close i got only DNS queries but, on port 80 and port 25 which are open ports, i got HTTP and SMTP queries respectively.
Remember while trying SSRF always put your collaborator link in every input field and for post based request try port scanning and also use other methods of data exfiltration.
As always POC time 🙂
Description:- SSRF vulnerability allowing attacker for internal port scanning through specific DNS and service request behaviors. By leveraging SSRF, attacker is able to differentiate between closed and open ports on internal services.
When the SSRF request is directed at a closed port, only a DNS query is triggered, as no response from the service is received.
For open ports, a full service request is generated, which is detected on the collaborator endpoint.
This behavior enabled identification of open services based on response patterns:-
Port 25 (SMTP) – Received SMTP-specific data on the collaborator.
Port 80 (HTTP) – Received HTTP requests on the collaborator.
Steps to reproduce:-
- Open this url in browser. ( https://example.com/support/tickets/new )
- Fill the submit request form and put your burpsuite collaborator URL in subject field and fill the rest form with test data and click submit.
- Now check your burpsuite collaborator and you will see that DNS and HTTP request hit in collaborator, and this is a SSRF vulnerability
- Now to scan port, again fill a new submit request form and this time use your burpsuite collaborator URL with port like this xdec54tyfdfgl7s95ujvg8c2skmyd44svnjc.oastify.com:25
- If port is open the you will get request form specific request like for port 25 and 80 you got SMTP and HTTP queries in collaborator respectively, and if port is closed then only DNS query hit in burpsuite collaborator.
Impact:-
1. Internal Network Reconnaissance: By using SSRF to probe internal ports, an attacker can map the internal network’s structure and identify which services are running (e.g., HTTP, SMTP, databases). This knowledge of accessible internal services is valuable in crafting further attacks.
2. Exposed Services Exploitation: Once internal services are identified (e.g., HTTP on port 80 or SMTP on port 25), the attacker could attempt to exploit known vulnerabilities in these services, especially if they’re outdated or misconfigured.
3. Privilege Escalation & Data Exfiltration: If the attacker can find a way to gain access to sensitive internal resources or configurations, they might escalate privileges within the internal network or exfiltrate sensitive data. This could affect Google’s internal resources and potentially have indirect consequences for end-users if any user-related data is accessible.
4. User Data Compromise: If sensitive data or user-related information is accessible within the internal services, a sophisticated attacker might leverage this SSRF to target and access that data.
That’s it for this article I will upload more articles related to web2 bugs covering all p4 to p1 bugs in near future so stay tuned… 🙂
Buy Me a Coffee : https://buymeacoffee.com/socalledhacker
Follow Me On :
Yeşilköy su kaçak tespiti Terastaki su kaçağını bulmak için gelen ekip çok profesyoneldi. İzolasyonu koruyarak çalıştılar. Belma F. https://www.scenario.press/ustaelektrikci
I must express my appreciation to you for bailing me out of this type of circumstance. Right after scouting throughout the world-wide-web and coming across principles which are not helpful, I believed my life was gone. Being alive without the presence of approaches to the difficulties you have fixed through your good write-up is a serious case, and ones which could have negatively affected my entire career if I had not noticed your web site. The ability and kindness in dealing with all areas was excellent. I’m not sure what I would’ve done if I hadn’t discovered such a subject like this. I can at this point look ahead to my future. Thanks for your time very much for this skilled and amazing help. I will not hesitate to suggest your site to anybody who requires recommendations on this topic.
Greetings! Very helpful advice on this article! It is the little changes that make the biggest changes. Thanks a lot for sharing!
Valuable info. Lucky me I discovered your site unintentionally, and I am surprised why this twist of fate did not came about in advance! I bookmarked it.
I am curious to find out what blog system you happen to be utilizing? I’m experiencing some small security issues with my latest site and I would like to find something more safeguarded. Do you have any recommendations?
Hey there! This post couldn’t be written any better! Reading this post reminds me of my good old room mate! He always kept talking about this. I will forward this page to him. Pretty sure he will have a good read. Thank you for sharing!
Today, taking into consideration the fast way of life that everyone is having, credit cards have a big demand throughout the market. Persons from every arena are using credit card and people who are not using the card have arranged to apply for one in particular. Thanks for giving your ideas in credit cards.
It’s hard to search out knowledgeable individuals on this subject, however you sound like you understand what you’re talking about! Thanks
Great wordpress blog here.. It’s hard to find quality writing like yours these days. I really appreciate people like you! take care
https://www.adobe.com/
hello there and thank you for your information – I’ve certainly picked up anything new
from right here. I did however expertise some technical issues using this web site, as I experienced to reload the website a lot of times previous to I could get it to load properly.
I had been wondering if your web hosting is OK? Not that I am complaining,
but sluggish loading instances times will sometimes affect your placement in google and could damage your high quality score if ads and
marketing with Adwords. Anyway I’m adding this RSS to my email and could look out for a lot more of your respective intriguing
content. Make sure you update this again very soon.
Visit my webpage – nordvpn coupons inspiresensation
Hello! Do you use Twitter? I’d like to follow you if that would be okay. I’m definitely enjoying your blog and look forward to new updates.
Paragraph writing is also a excitement, if you know then you can write if not it is difficult to write.
My web blog; nordvpn coupons inspiresensation
I’m truly enjoying the design and layout of your blog.
It’s a very easy on the eyes which makes it
much more enjoyable for me to come here and visit
more often. Did you hire out a designer to create your theme?
Exceptional work!
Feel free to surf to my web blog :: nordvpn coupons inspiresensation (come.ac)