Description

Admin users on the external network can perform blind POST-based SSRF (issue requests on behalf of the server into the internal network) via the Slack Integration

Performing portscans

1: Go to Slack Integrations

2: Use http://127.0.0.1:1337 as the Slack Endpoint. See the error message:
cURL error 7: Failed to connect to 127.0.0.1 port 1337: Connection refused (see https://curl.haxx.se/libcurl/c/libcurl-errors.html)
Indicating that requests can be made to 127.0.0.1 and that port 1337 on 127.0.0.1 is closed.

Interacting with internal webservices

1: We will setup a server in the internal network for demonstration purposes.

2: Run the following NodeJS code

var express = require('express')
var app = express()

app.post('/shutdown', function(request, response) {
  console.log("Server shutting down")
  process.exit( );
})

const port = 3000
const ip = '0.0.0.0'
app.listen(port, ip)
console.log(`Listening at http://localhost:${port}`)

3: Now input http://[NODE-SERVER-IP]:3000/shutdown and watch the server shutdown.

Impact

This vulnerability is capable of port-scanning of the internal network, issue POST requests to web servers on the internal network which can be escalated to higher-impact.

Recommended Fix

Only allow the integration URL if the host === hooks.slack.com

OR only allow the XXXXX portion of the hooks.slack.com/XXXXXX from frontend and append to “hooks.slack.com/” string in backend