Server Side Request Forgery(SSRF){port issue hidden approch }

Hello guys ,

This is Deepak Holani #appsec

This is my first write-up hope you like it ..

I was testing a private program

domain was in limited scope …it is related to social networking

domain www.abc.com

I was looking for server side issue i see there box for adding url for job advertise first thing come in my mind try for SSRF here

SSRF Actions apply on different approches depend on where you are looking for ssrf

what are the some SSRF Actions >>

  • Abuse the trust relationship between the vulnerable server and others.
  • Bypass IP whitelisting.
  • Bypass host-based authentication services.
  • Read resources which are not accessible to the public.
  • Scan the internal network to which the server is connected.
  • Read files from the web server.
  • View Status Pages and interact with APIs as the web server.
  • Retrieve sensitive information such as the IP address of a web server behind a reverse proxy.

so as i said it was kind of social networking site

job posting url box below

To add external job link

so when i was testing for port scan on this bysimple localhost (127.0.0.1) and different port

but on web page it was not showing any error as we have cool friend burp

it was not showing me an port open or close

now what????

in addition to http:// I tried the other URL schema to read and make the server perform actions (file:///, dict://, ftp://, ldap:// and gopher://).

However, only http://

working so i open my burp

  1. I have two choice to check so first i check it with burp-collaborator you can read more about below link given and other by manual check by port ..

I check target >>> below is request and response

note: if you do not have VPS, … Collaborator everywhere in burp can help you testing…..

recived DNS lookup

so it gave me idea that there is SSRF

so i decided to check port open or close

as https:// only allow

so i check first for port 443 >> 127.0.0.1:443

gave me 400 bad request …

400 bad request on port 443

now what i check on another port 22 >> 127.0.0.1:22

on port 22

In this way i found many port open and close and scan all port which give

201 and 400 response …

Report details -

29-june-2018— Bug Reported to the company.

29-june-2018 — Bug triaged by team

29- june -2018—bug fixed

2-july-2018 — rewarded me cool bounty and

program launched on hackerone soon

Feel free to ask any question on this

Twitter @w_hat_boy

Thanks :)