Server-side Request Forgery in OpenID support

Putra Adhari
Dec 24, 2018 · 2 min read

Liberapay Profile at HackerOne

I just want find Bug at Liberapay but when i want to change Photo Profile the page will auto Redirect at .

Steps to Reproduce

I must Register in to become to member.
And go to Profile Page there have Add a new OpenID menu and Click it
in the Page you can add URL from everywhere and let’s time to Exploit that with SSRF
4.I try to add URL like this :

Image for post
Image for post

The Page will Write <urlopen error [Errno 111] Connection refused> because the Port isn’t Open but if i add URL like this the Page will Write “No usable OpenID services found for” (PORT 80 is Open)

Image for post
Image for post

If i check with Nmap is like this 80/tcp open http Apache httpd

Image for post
Image for post

And now i’ll try to get Request from VPS .
i add URL like this : http://myvpsserver.example:31337 and trying with netcat with port 31337 .
And Working !!!

Image for post
Image for post

Reference :


Server Side Request Forgery (SSRF) refers to an attack where in an attacker is able to send a crafted request from a vulnerable web application. SSRF is usually used to target internal systems behind firewalls that are normally inaccessible to an attacker from the external network. Additionally, it’s also possible for an attacker to leverage SSRF to access services from the same server that is listening on the loopback interface (

Reference :

Regards BugHunter Indonesia , BugBounty ID .


Report (16 Des 2018)

Libravatar Appreciate Me (17 Des 2018)

Libravatar ADD me in HOF ( 24 Des 2018 )

touch me to see HOF

Bug Fix and Release

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store