Feb 14, 2019

[SSRF] Server Side Request Forgery in a private Program developers.example.com



Program : Private program ( HackerOne ) 
Subdomain : Developers.Example.com 
Bounty : 200$
Severity : Critical
Issue Type : SSRF  


I've found SSRF vulnerability in a Private Program on HackerOne

The affected subdomain ( developers ) was used 
vulnerable confluence instance  version <= 6.00

POC example :



 any AWS instance can query an ip and receive information related to that instance and even account information. I then checked the local host name through the AWS meta-data end point, by visiting


Share This
Previous Post
Next Post

Security Researcher at Many Websites - Bug Hunter - Civil Engineer Student