Server-Side Request Forgery Leads to Information Disclosure
Hello Folks, In this article I will explain how to find SSRF → Information Disclosure.
Let's get started !!
In this blog I will gonna explain about the how I found a Server-Side Request Forgery and Escalated that into Information Disclosure to increase the impact.
What is Server-Side Request Forgery commonly known as SSRF ??
An attack in which a user or attacker will send a forged request to the target application, If an application is vulnerable it will give the internal sensitive information such as Origin IP, SMTP details, Cloud metadata, internal ports, and another isolated service behind the infrastructure as a response.
Consider a target domain as https://vulnerableapp.com it has the functionality of File upload options where I can able to upload png, jpg, and SVG formats.
And during Information Gathering or Recon phase, I found that the application was behind the Cloud flare Web Application Firewall ( WAF ) to protect the application from common attacks.
Firstly I tried to break the front-end logic upload format extension for RCE, by manipulating the .png and .jpg → some shell formats, unfortunately, couldn't;
Then I tried to bypass the content type to text/html for XSS and again application responded with nothing.
I tried to add a double extension didn’t work.
Then I’m disappointed and terminated my Burp window;
After 2–3 days while I’m surfing the internet I found something interesting about SVG uploads.
I realized that there we have the option to get a Blind SSRF by uploading the SVG payloads.
Then I used the payload and saved it as a payload.svg and uploaded it to the https://vulnerableapp.com/uploads/
Immediately I got the response to my collaborator client from the uploaded payload:
This confirms that the application is vulnerable to Blind SSRF.
I didn’t stop here, I want to increase the impact so again I started diving deep.
I have an Origin IP of the Server ( from the Collaborator ), Quickly I fired my Kali machine and started fuzzing the directories.
Finally……………………………………………………………………!!
Boom !!!!!!!!
I can able to find many sensitive files such as .gitignore, asset folders, some internal images, and the web.config, FTP quotas, and some other backups file which are stored in the Application Web Root!
Now I can say the vulnerability has more impact!
Happy Hacking 🥂🥂
Thanks for reading.
Please do follow me for more writeups.
