Reading Internal Files using SSRF vulnerability

Neeraj Sonaniya
Oct 16, 2017 · 2 min read

I am hunting on one private program since last 8 months, since it doesn’t allow disclosure i will keep organization REDACT, in requests i will use ‘example.com’ as its name.

I am going to show how i was able to read internal files of an organization using Server Site Request Forgery vulnerability.


While searching for vulnerability, i encountered with one ‘JavaScript’ file. I unminified that JavaScript into readable form using http://unminify.com/ , while searching for new endpoints in that JavaScript file for more chances of getting vulnerabilities, i found one function:

Function

After analyzing it i was able to make request from above function as follows:

Request made from function

Here you can see an interesting parameter ‘filehookURL’ , so i thought it is SSRF issue because i got the response of https://www.REDACT.com , so i confirmed that it is SSRF and hence my next target was, if i can read internal files of organization.

The next is to test dangerous URL schemas such as file:/// , dict:// , ftp:// and gopher:// , but i was lucky enough and i was able to read internal files from file:/// scheme.

Here is the request i made to read ‘/etc/passwd’ file :

Final Request to read /etc/passwd file

And here is the response:

I immediately reported it to the organization, and the team was very fast in response. They fixed the issue within 2 hrs of their first response and awarded me with generous bounty.

So, never forgot to look into JavaScript files, as it is possible to get new endpoints from them.


I hope you learned something from it.

Thanks for reading.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store