Reading Internal Files using SSRF vulnerability

I am hunting on one private program since last 8 months, since it doesn’t allow disclosure i will keep organization REDACT, in requests i will use ‘example.com’ as its name.

I am going to show how i was able to read internal files of an organization using Server Site Request Forgery vulnerability.

While searching for vulnerability, i encountered with one ‘JavaScript’ file. I unminified that JavaScript into readable form using http://unminify.com/ , while searching for new endpoints in that JavaScript file for more chances of getting vulnerabilities, i found one function:

Function

After analyzing it i was able to make request from above function as follows:

Request made from function

Here you can see an interesting parameter ‘filehookURL’ , so i thought it is SSRF issue because i got the response of https://www.REDACT.com , so i confirmed that it is SSRF and hence my next target was, if i can read internal files of organization.

The next is to test dangerous URL schemas such as file:/// , dict:// , ftp:// and gopher:// , but i was lucky enough and i was able to read internal files from file:/// scheme.

Here is the request i made to read ‘/etc/passwd’ file :

Final Request to read /etc/passwd file

And here is the response:

I immediately reported it to the organization, and the team was very fast in response. They fixed the issue within 2 hrs of their first response and awarded me with generous bounty.

So, never forgot to look into JavaScript files, as it is possible to get new endpoints from them.

I hope you learned something from it.

Thanks for reading.