SSRF via FFmpeg HLS processing

Pflash Punk
Dec 11, 2019 · 2 min read
FFmpeg logo
FFmpeg logo
FFmpeg Logo

FFmpeg is a free and open-source project consisting of a vast software suite of libraries and programs for handling video, audio, and other multimedia files and streams. At its core is the FFmpeg program itself, designed for command-line-based processing of video and audio files, and widely used for format transcoding, basic editing (trimming and concatenation), video scaling, video post-production effects, and standards compliance. FFmpeg is known to process HLS playlists that may contain references to external files.

Story !

I received a private invitation on bugcrowd , lets call it REDACTED.COM .

Basically Redacted.com is a video transcoding platform , so its 99% sure that they’ll be using FFmpeg :P
So its obvious the first test i’ll perform on the target will be SSRF only using FFmpeg HLS Processing.

Setup !

1.A small server , just to check logs , you can use AWS or DigitalOcean.

2. B-XSSRF to check the requests. Download it from Here . ( Don’t forget to read the instructions given in repo )

3. Malicious AVI file. Download it from Here.

4. Open the downloaded AVI file in notepad++ , search for http://127.0.0.1/request.php and replace it with yours.

Testing !

Now we are ready to test SSRF with FFmpeg.

  1. Logged in to Redacted.com
  2. Uploaded the video.
  3. Checked for requests received .

4. Bingo ! its vulnerable :P

What’s next ?

Reported to the vendor on bugcrowd -> Duplicate -> LOL

Anyway’s it may help you :)

Pflash Punk

Written by

Bug hunter , learner , Security analyst at transcodium :)

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade