SSRF Bypass in private website
SSRF Bypass in private website – Bug Bounty POC
Hello BugBountyPoc viewers it’s been while we did not post POC on BugBountyPoc because of we are busy in our new project of forum where you can share your tutorial, exploit, challenges and show off skills ( Hall Of Fame, Bounty) so today I get some time to decide to post my recent SSRF Bypass POC on bugbountypoc..The SSRF was on a private HackerOne program so I can’t disclose the name of the website I will use site.com instead of the real website name. So let’s start it
So one of my colleague and friend found a pretty good SSRF in the private site worth $2k. I decided to take a look into this to bypass.
They were allowing the user to fetch data from an external source I decide to try SSRF here. First, I try the simple way of Cross-site port attack (XSPA) to scan port of external website.
after opening this link the web application give the error
“Not safe URL: Port is not permitted 22”
they were using some filters and verifying the link not allowing the port in url. .after that i just added another : in url
Link : https://subdomain.site.com/fetch?token=1&url=http://scanme.nmap.org::22
and this time web application show me the different error this time .
Error : “Not safe URL: Parse Error”
i find something fishy in error
so decide to scan the closed port (111) and web application give a different error Connection refused ..
Not safe URL: connect ECONNREFUSED 4x.xx.xx.xxx:111
After seeing the error of Connection Refused in closed port i was like :
2016-09-02 : Report sent
2016-09-06 : Marked as informative
2016-09-06 : More details sent
2016-09-07 : Triaged
2016-09-15 : Marked as resolved and Bounty awarded