$1.000 SSRF in Slack

Elber Andre
Feb 17, 2019 · 4 min read

Before I start, I have two important tips for anyone starting in the world of BugBounty.

1: Always check previous reports, you may know some bypass that may work in that situation, or you can learn something new.

2: If you like content about Bug Bounty or other hacking related stuff, sign up for my channel and follow the new posts.

SLACK AND SSRF:

Image for post
Image for post

Slack is the collaboration hub that brings the right people, information, and tools together to get work done. From Fortune 100 companies to corner markets, millions of people around the world use Slack to connect their teams, unify their systems, and drive their business forward.

Slash Commands;

“SSRF in api.slack.com, using slash commands and bypassing the protections.”

You can learn more about Slash Commands :

“Some Slack features like “Integrations / Phabricator” and “Integration / Slash Commands” allow users to submit URL that will be accessed by the backend servers. A blacklist tries to forbid access to internal resources (loopback, 10.0.0.0/8, 192.168.0.0/24, …). This blacklist can be bypassed using “[::]” as the hostname. Only services binding all the interfaces and supporting IPv6 can be reached using that vector.” Said user agarri_fr for the slack.

Image for post
Image for post

Slack has disabled the option to register IPV6 addresses in your Slash Commands.

slacka: ‘

~Fixed~

For them, a fix, for me, a bypass.

To bypass this new protection, I used a redirect with the ‘Location’ header in PHP.

:22

Image for post
Image for post

:25

Image for post
Image for post

After I found this bypass, I looked for more vulnerabilities in Slack, and I found the Event Subscriptions parameter.

“Bypass of the SSRF protection in Event Subscriptions parameter.”

The vulnerability is present in the “Event Subscriptions” parameter where:
Your app can subscribe to be notified of events in Slack (for example, when a user adds a reaction or creates a file) at a URL you choose. ".
URL:
https://api.slack.com/apps/YOUAPPCODE/event-subscriptions?

When we add a site that does not meet API standards, we receive the following message:

Image for post
Image for post

Your request URL gave us a 500 error. Update your URL to receive a new request and challenge value.

Bypass using an IPV6 vector [::].

On my host, x.php has:

<?php
header("location: ".$_GET['u']);
?>

PoC:

http://hacker.site/x.php/?u=http://%5B::%5D:22/

Response:
SSH [::]:22

Image for post
Image for post

SMTP [::]:25

Image for post
Image for post

This report Slack selected as a duplicate of another SSRF, I insisted that they put me as a participant in the other report.

I saw that the other report was different from mine, so I told the team that they could have been wrong.

Image for post
Image for post

References:

https://hackerone.com/reports/61312

(The reports will be publicly disclosed on Hackerone on 02/22)

https://hackerone.com/reports/381129

https://hackerone.com/reports/386292

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store