SSRF Vulnerability due to Sentry misconfiguration

Valeriy Shevchenko
May 27 · 2 min read

That story happened when I saw that disclosed report.

And funny thing is that I remembered that saw some Sentry requests in my BuprSuit Proxy in my current project. From that point of view, I highly recommend to not filtering Proxy history. Who knows what kind of interesting information can be loose from filtering with only “in scope” view.

The root of that issue happened from the Sentry configuration with JavaScript source fetching settings.

So basically you have 50% chances with having success SSRF vulnerability in that place on your target. Because some companies could be informed about those risks from Sentry blog and turned off that Source Fetching functionality.

First what we need — request to the Sentry logs of your target. For getting that request you can try to block some source in your browser for your target. After that, you will see the request to Sentry with error information.

And for good POC all we need to do — just change the source with your address where you can log incoming request. I used ngrok. That’s why you can see ngrok tunnel in my SSRF Sentry request.

And finally, here are my results. Data was fetched and i logged incoming request to my local machine with ngrok tunnel.

The issue was reported to the security department immediately. Hope that it will be fixed with analyzing of all Sentry endpoints.

Wish you luck with your testing targets 😊

PS: Click 👏 “Clapping Hands” icon if you like this article 😉

Valeriy Shevchenko

Written by

I am a guy who passionate about testing and security researching 👨‍💻 → t.me/valyaroller