SSRF via FFmpeg HLS processing
FFmpeg is a free and open-source project consisting of a vast software suite of libraries and programs for handling video, audio, and other multimedia files and streams. At its core is the FFmpeg program itself, designed for command-line-based processing of video and audio files, and widely used for format transcoding, basic editing (trimming and concatenation), video scaling, video post-production effects, and standards compliance. FFmpeg is known to process HLS playlists that may contain references to external files.
Story !
I received a private invitation on bugcrowd , lets call it REDACTED.COM .
Basically Redacted.com is a video transcoding platform , so its 99% sure that they’ll be using FFmpeg :P
So its obvious the first test i’ll perform on the target will be SSRF only using FFmpeg HLS Processing.
Setup !
1.A small server , just to check logs , you can use AWS or DigitalOcean.
2. B-XSSRF to check the requests. Download it from Here . ( Don’t forget to read the instructions given in repo )
3. Malicious AVI file. Download it from Here.
4. Open the downloaded AVI file in notepad++ , search for http://127.0.0.1/request.php and replace it with yours.
Testing !
Now we are ready to test SSRF with FFmpeg.
- Logged in to Redacted.com
- Uploaded the video.
- Checked for requests received .
4. Bingo ! its vulnerable :P
What’s next ?
Reported to the vendor on bugcrowd -> Duplicate -> LOL
Anyway’s it may help you :)