Open in app

Sign in

Write

Sign in

Server-side request forgery in STRAPI v4.24.4 (CVE-2024–37818)

Vaibhav Barkade
3 min readJun 19, 2024

--

Description :

Server-side request forgery is a web security vulnerability that allows an attacker to cause the server-side application to make requests to an unintended location.

In a typical SSRF attack, the attacker might cause the server to make a connection to internal-only services within the organization’s infrastructure. In other cases, they may be able to force the server to connect to arbitrary external systems. This could leak sensitive data, such as authorization credentials.

Evidence/Steps to Reproduce :

  1. Login to application using valid admin credentials and click on BLOG.

2. Now capture the request for the below shown API from screenshot and press “CTRL+R” for sending request to the repeater. Notice that API tries to fetch the image resource from remote url.

3. Now change the URL parameter to the internal IP i.e. 127.0.0.1 and hit the send button. Notice that application blocks the request as shown in the below response.

URL : https://strapi.io/_next/image?url=http://127.0.0.1&w=64&q=64

4. Now bypass this restriction by using http://localhost and notice that application tries to fetch the content from internal open port.

5. Now to verify the vulnerability change the port number to any random port and observe the response. As shown in below attached screenshot, application throws the error if port is closed.

6. Now send the request to the intruder and set the payload position as the port number.

7. Now select the payload as the “Number” and set the Range from “1–65535”. After that click on Start attack button.

8. Notice the response. An attacker can find the internal open ports based on the responses as shown in attached screenshot.

Note : This attack can be perform as an unauthorized user by simply sending GET request to the below endpoint.

URL : https://strapi.io/_next/image?url=http://127.0.0.1&w=64&q=64

Remediation

1. Whitelists and DNS Resolution

2. Authentication on Internal Services

3. Harden Cloud Services

4. Response Handling

5. Disable Unused URL Schemas

References

1. https://portswigger.net/web-security/ssrf#:~:text=Server%2Dside%20request%20forgery%20is,services%20within%20the%20organization's%20infrastructure.

2. https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html

--

--

Vaibhav Barkade

Written by Vaibhav Barkade

3 Followers

Senior Analyst at @Deloitte USi

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams