Server Side Request Forgery(SSRF){port issue hidden approch }

Deepak Holani
3 min readMay 3, 2019

--

Hello,

This is my first write-up. I hope you will like this.

I was testing a private program, domain was in limited scope. This is related to social networking domain www.abc.com

I was looking for the server-side issue I see their box for adding URL for job advertise first thing that come to my mind try for SSRF. SSRF Actions apply on different approaches depending on where you are looking for SSRF.

what are some SSRF Actions >>

  • Abuse the trust relationship between the vulnerable server and others.
  • Bypass IP whitelisting.
  • Bypass host-based authentication services.
  • Read resources which are not accessible to the public.
  • Scan the internal network to which the server is connected.
  • Read files from the web server.
  • View Status Pages and interact with APIs as the web server.
  • Retrieve sensitive information such as the IP address of a web server behind a reverse proxy.

As I said, it was a kind of social networking site.

job posting URL box below:

To add external job link

I was testing for a port scan by simple localhost (127.0.0.1) and different ports.
but on the web page, it was not showing any error as we have a cool friend burp. It was not showing me a open port or close.
Now, what????

In addition to http:// I tried the other URL schema to read and make the server perform actions (file:///, dict://, ftp://, ldap:// and gopher://).

However, only http:// working, so I open my burp.

  1. I had two choices to check, so first I will check it with burp-collaborator you can read more about below link given and other by manual check by port ..

I check the target, below is the request and response.

Note: If you do not have a VPS, a collaborator everywhere in the burp, can help you with testing.

Received DNS lookup

I decided to check whether the port was open or close. HTTPS:// was only allowed. port 443, 127.0.0.1:443 gave me 400 bad requests.

400 bad request on port 443

Port 22, 127.0.0.1:22

on port 22

In this way, I found many open ports or closed ones,and scanned all ports which threw 201 and 400 responses.

Report details -

29-june-2018— Bug Reported to the company.

29-june-2018 — Bug triaged by team

29- june -2018—bug fixed

2-july-2018 — Reward me with a cool bounty and a program launched on hackerOne soon.

Feel free to ask any question on this.

Twitter @w_hat_boy

Thanks :)

--

--