Open in app

Sign in

Write

Sign in

Server Side Request Forgery(SSRF){port issue hidden approch }

Deepak Holani
3 min readMay 3, 2019

--

Hello,

This is my first write-up. I hope you will like this.

Deepak Holani (@w_hat_boy) | Twitter

The latest Tweets from Deepak Holani (@w_hat_boy). #appsec 🤗...#security

twitter.com

I was testing a private program, domain was in limited scope. This is related to social networking domain www.abc.com

I was looking for the server-side issue I see their box for adding URL for job advertise first thing that come to my mind try for SSRF. SSRF Actions apply on different approaches depending on where you are looking for SSRF.

what are some SSRF Actions >>

  • Abuse the trust relationship between the vulnerable server and others.
  • Bypass IP whitelisting.
  • Bypass host-based authentication services.
  • Read resources which are not accessible to the public.
  • Scan the internal network to which the server is connected.
  • Read files from the web server.
  • View Status Pages and interact with APIs as the web server.
  • Retrieve sensitive information such as the IP address of a web server behind a reverse proxy.

As I said, it was a kind of social networking site.

job posting URL box below:

To add external job link

I was testing for a port scan by simple localhost (127.0.0.1) and different ports.
but on the web page, it was not showing any error as we have a cool friend burp. It was not showing me a open port or close.
Now, what????

In addition to http:// I tried the other URL schema to read and make the server perform actions (file:///, dict://, ftp://, ldap:// and gopher://).

However, only http:// working, so I open my burp.

  1. I had two choices to check, so first I will check it with burp-collaborator you can read more about below link given and other by manual check by port ..

Burp Collaborator

This section contains information about What Burp Collaborator is, How Burp Collaborator works, Security of data…

portswigger.net

I check the target, below is the request and response.

Note: If you do not have a VPS, a collaborator everywhere in the burp, can help you with testing.

Received DNS lookup

I decided to check whether the port was open or close. HTTPS:// was only allowed. port 443, 127.0.0.1:443 gave me 400 bad requests.

400 bad request on port 443

Port 22, 127.0.0.1:22

on port 22

In this way, I found many open ports or closed ones,and scanned all ports which threw 201 and 400 responses.

Report details -

29-june-2018— Bug Reported to the company.

29-june-2018 — Bug triaged by team

29- june -2018—bug fixed

2-july-2018 — Reward me with a cool bounty and a program launched on hackerOne soon.

Feel free to ask any question on this.

Twitter @w_hat_boy

Deepak Holani

Deepak Holani is on Facebook. Join Facebook to connect with Deepak Holani and others you may know. Facebook gives…

www.facebook.com

Thanks :)

Security
Bug Bounty
Ssrf
Pentesting
Web Development

--

--

Deepak Holani

Written by Deepak Holani

112 Followers

Security

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams