SSRF in redacted.com: How I Found and Reported a Vulnerability
As a security researcher, it’s always exciting to uncover vulnerabilities in popular web applications. Recently, I came across a Server-Side Request Forgery (SSRF) vulnerability in redacted.com, a well-known platform. In this post, I will be sharing the details of my discovery, including the steps I took to identify the vulnerability and the actions taken by the company to fix the issue.
While testing redacted.com, I noticed that when an error occurred, the application sent a request to the Sentry endpoint. I realized that the filename in the request could be manipulated to send a request to my own Local machine with server. I created a proof of concept and sent it to the company’s security team. They confirmed the vulnerability and took immediate action to fix it.
How to find this vulnerability?
- Begin by accessing the target website that utilizes Sentry
- Utilize a web application scanner such as Burp Suite to spider the website and locate the Sentry endpoint, which typically appears as “/api/14/store/?sentry_version=7&sentry_client=raven-js%2F3.27.0&sentry_key=<key>”
- Once the endpoint has been located, examine the request body for a parameter named “filename”. This parameter is vulnerable to Blind SSRF attacks and can allow an attacker to send GET requests to their own server.
Impact:
The vulnerability could have allowed an attacker to perform a Blind SSRF attack, which could have led to exfiltration if we change attack scenario.
Conclusion:
This incident serves as a reminder that even popular and well-established web applications are vulnerable to SSRF attacks and it’s important for security researchers to actively test for such vulnerabilities. The company rewarded me with a $100 bounty for my findings.
Peace…
Instagram: https://www.instagram.com/rootx_narayanan/
Twitter: https://twitter.com/itsnarayananm
LinkedIn: https://www.linkedin.com/in/narayanan-m-836197199/
