SSRF Series — The Accidental SSRF
What’s SSRF?
OWASP top 10 includes SSRF in the categories, still finding SSRF can usually be tricky. These attacks occur when an application is fetching data from a user-supplied URL, without any validations. The vulnerability can be exploited in various ways depending on the infrastructure of the application and the response.
The Recon
Identifying a path/query/request body parameter that takes URLs/paths as input can be challenging. The application might either return a response with hints to the URL being hit or the contents of a file path being retrieved. Usually, one would find SSRF in File/Image Uploads via URLs, a URL previewing functionality, or some business logic requiring parsing HTML content containing calls to the attacker-controlled domain (Ex. an HTML to PDF renderer).
My usual process for finding SSRFs is to start Burpsuite proxy and log each API while browsing the application. Now, these APIs can be combed for vulnerabilities in 2 ways: manually or using a very popular Burpsuite extension named Hunt Scanner. This automatically classifies potential vulnerabilities by type based on the parameters.
Next, I try to add parameters which are usually used to send URLs. Some examples are as listed below:
- file
- document
- page
- path
- template
- nextpage
Sometimes, developers accept certain parameters, but it is not used in the frontend.
The Vulnerability
In our case, the API took in a parameter (nextPage) pointing to a 3rd party website to fetch the next set of results from. Adding burp collaborator URL in the nextPage parameter returned 500 in the response, along with a server interaction in burp. This meant the parameter was being used, just the response was not as the server expected.
The Exploit
The server did not just call the API, but also added an Authorization header along with the API key to the 3rd party service — Okta. This key could be used by the attacker to get full admin access on Okta. Meaning, I could do all admin operations via Okta APIs!
And boom… we have the SSRF.
Read more: Back to basics
Hope you enjoyed this. Thanks for reading. Follow for more!
