Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeroneMadara_H1:2301565
HistoryJan 02, 2024 - 7:22 a.m.

HackerOne: Server Side Request Forgery (SSRF) in webhook functionality

2024-01-0207:22:05
madara_
hackerone.com
$2500
46
vulnerability
ssrf
webhooks
bypass
impact
security measures
validation
anti-ssrf rules
php server
hackerone

6.7 Medium

AI Score

Confidence

Low

JSON

Summary:

  • SSRF stands for “Server-Side Request Forgery” in English. It refers to a security vulnerability where an attacker can manipulate a web application to make HTTP requests from the server side instead of the client side. This can allow the attacker to access internal and sensitive resources that are not normally accessible.
  • In an SSRF attack, the attacker can manipulate the requests made by an application to target internal resources such as local files, internal services, or even systems on the internal network. This can lead to the disclosure of sensitive information or unauthorized actions being performed on the server.
  • In this case I was able to bypass the anti ssrf rules in the implemented webhook functionality, I noticed that there is no filter enabled for IPV6 IP addresses with IPv6 address mapped to IPv4.

Description:

Steps To Reproduce

  • To play this account you need to have an organizational account.
  • Additionally, it is necessary to have a public server that interprets php, you can use 000webhost.com
  1. Create a public PHP server and upload the following file h1.php:
<?php
// Obtén los datos de la solicitud
header("Access-Control-Allow-Origin: *");
header("Access-Control-Allow-Methods: GET, POST, PUT, DELETE");
header("Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept");
header("Content-Type: application/json");
header("Location: http://[::ffff:a9fe:a9fe]"); //IPV6 Compressed
?>
  1. Save the public url where the php script is located
  2. Log in to your hackerone account
  3. Enter your organization’s program settings
  4. Look for the webhooks option.
  5. Create a webhook with the previously copied url.
  6. Once the webhook is created, edit it and click on the Test request button
  7. You can see in the webhook logs that in response it launches the header server: EC2ws which corresponds to the Amazon metada instance.

Impact

  • “Server-Side Request Forgery” (SSRF) is a security vulnerability that can have various negative impacts. It occurs when an attacker tricks a server into making requests on their behalf. This can lead to unauthorized access to internal resources, such as databases or internal services, that are typically not accessible from the outside. Additionally, SSRF can be exploited for port scanning, potentially revealing vulnerable services. Attackers may use SSRF to force servers to perform unwanted actions on internal services, leading to data breaches or malicious activities. The vulnerability also poses a risk of bypassing network restrictions, allowing attackers to circumvent security measures. To mitigate SSRF, it is crucial to implement secure development practices, validate and filter user inputs effectively, and ensure that servers do not make unauthorized requests to internal resources. Utilizing whitelists for permitted addresses and disabling unnecessary DNS resolution are recommended measures to enhance security.

6.7 Medium

AI Score

Confidence

Low

JSON