SSRF Bypass in private website – Bug Bounty POC
Hello BugBountyPoc viewers it’s been while we did not post poc on BugBountyPoc becuase of we are busy in our new porject of forum where you can share your tutorial , exploit , challenges and show off skills ( Hall Of Fame, Bounty) so today i get some time so decide to post my recent SSRF Bypass poc on bugbountypoc..The SSRF was on private hackerone program so i can’t discourse the name of website so i will use site.com instead of real website name .. So let’s start it
So one of my colleague and friend found a pretty good SSRF in the private site worth $2k. So i decided to take a look into this to bypass.
They were allowing user to fetch data from external source so i decide to try SSRF here . First i try simple way of Cross site port attack (XSPA) to scan port of external website ..
after opening this link the web application give the error
“Not safe URL: Port is not permitted 22”
they were using some filters and verifying the link not allowing the port in url. .after that i just added another : in url
Link : https://subdomain.site.com/fetch?token=1&url=http://scanme.nmap.org::22
and this time web application show me the different error this time .
Error : “Not safe URL: Parse Error”
i find something fishy in error
so decide to scan the closed port (111) and web application give a different error Connection refused ..
Not safe URL: connect ECONNREFUSED 4x.xx.xx.xxx:111
After seeing the error of Connection Refused in closed port i was like :
2016-09-02 : Report sent
2016-09-06 : Marked as informative
2016-09-06 : More details sent
2016-09-07 : Triaged
2016-09-15 : Marked as resolved and Bounty awarded