SSRF Bypass in private website

SSRF Bypass in private website – Bug Bounty POC

Hello BugBountyPoc viewers it’s been while we did not post poc on BugBountyPoc becuase of we are busy in our new porject of forum where you can share your tutorial , exploit , challenges and show off skills ( Hall Of Fame, Bounty) so today i get some time so decide to post my recent SSRF Bypass poc on bugbountypoc..The SSRF was on private hackerone program so i can’t discourse the name of website so i will use site.com instead of real website name .. So let’s start it

So one of my colleague and friend found a pretty good SSRF in the private site worth $2k. So i decided to take a look into this to bypass.

They were allowing user to fetch data from external source so i decide to try SSRF here . First i try simple way of Cross site port attack (XSPA) to scan port of external website ..

https://subdomain.site.com/fetch?token=1&url=http://scanme.nmap.org:22

after opening this link the web application give the error

“Not safe URL: Port is not permitted 22”

 

they were using some filters and verifying the link not allowing the port in url. .after that i just added another : in url

Link : https://subdomain.site.com/fetch?token=1&url=http://scanme.nmap.org::22

and this time web application show me the different error this time .

Error : “Not safe URL: Parse Error”

SSRF

i find something fishy in error

so decide to scan the closed port (111) and web application give a different error Connection refused ..

Not safe URL: connect ECONNREFUSED 4x.xx.xx.xxx:111

After seeing the error of Connection Refused in closed port i was like :

 

Report timeline:

2016-09-02 : Report sent
2016-09-06 : Marked as informative
2016-09-06 : More details sent
2016-09-07 : Triaged
2016-09-15 : Marked as resolved and Bounty awarded

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *