From SSRF to Local File Disclosure

This blog is written about a bug (I believe), that was found on my last weekend. It located on a website from a private program X on Hackerone.

That website has an API, allows users input their URL and email. In the backend, there is a simulated browser, which tries to open that URL and send the screenshot to user’s email. Actually, I don’t have any idea about that simulated browser, not sure if it is a real one or not. First thing, I inject a URL, and the received User-Agent is

Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.101 Safari/537.36

Personally, I am interested in SSRF bug, and this case I have the response, so, I thought that I might have some funs.

After the URL, I tried my luck with:


The server accepts these URL, open it and send the result to my inbox. But the received responses areErr: timeout for almost times.

The hard thing is the limited number of URLs to be inputted. So, I couldn’t do the brute-force to test Boolean-based.

OK. Now is the time for the local file:


These above payloads had been used to injected as URLs. However, this time, the server stopped me and said that they are invalid URLs.

I paused when there are not any ideas in my head.

That night, after a cup of Asahi beer, I decided to brainstorm again.

Is there anything else that I forgot?

Oh, http ? Yes. file ? Yes. chrome ? Yes…. How about other services? ftp ?

Promptly, has been inserted. It worked. Then, I was confused about which keyword had been filtered on the server. I replaced ftp by file , and it worked also. How so?

Yes. The problem is /// , we only need a couple of / , if there are more than, the server would think it is an invalid URL. Then, I tried with file:// .

Index of page was in the response. Awesome!

Then, how about /etc/passwd ? Hmm. The URL would be: file://s/etc/passwd

Awesome, again!!!

And that is my PoC.

I submitted the report to that program; unfortunately, they fixed and said that they aware of that issue and closed as Informative.

Actually, I still don’t really understand that decision, however, I don’t want to argue with triggers, then, it should be fine.