Blind SSRF on sending images on private conversation

We recieved a Hackerone report about the issue below.

What I’m wondering is:

  • Is this a problem
  • Are there any suggestions / something I can do about it

Summary:

Hi,I have found a blind SSRF on hxxps://xyz.com/posts endpoint

Steps To Reproduce:

  1. Login to your account on xyz.com
  2. Go to private messages (there will be a greeting message from their discobot)
  3. While sending a message, upload an image and Intercept the request in burp
  4. In the payload change the image upload url to your canary url
  5. The payload will look like this

raw=![svg_image|690x388]>(hxxp://canarytokens.com/tags/images/terms/ctw75qckq1htf6n3rt9asrpn3/submit.aspx) &unlist_topic=false&category=&topic_id=1659497&is_warning=false&whisper=false&archetype=regular&composer_open_duration_msecs=12597&featured_link=&shared_draft=false&draft_key=topic_1659497&reply_to_post_number=83&image_sizes[hxxps://xyz.cloudfront.net/uploads/default/original/4X/c/a/9/ca90daba5408ce8b8693f3a5d58e537eb750e906.svg][width]=5120&image_sizes[hxxps://xyz.cloudfront.net/uploads/default/original/4X/c/a/9/ca90daba5408ce8b8693f3a5d58e537eb750e906.svg][height]=2880&nested_post=true

  1. When you send the request, two canary alert will be triggered or check server logs there will be a request made by Ruby user-agent and One from their Amazon Compute Instance

Impact

The vulnerability allows an attacker to make arbitrary HTTP/HTTPS requests inside a xyz.com instance’s network.

From this thread, it seems like this is due to onebox behavior Server-side request forgery vulnerability.
I also saw this hackerone report from years ago SSRF in upload IMG through URL.

Thanks!

Discourse intentionally fetches images and URLs which are included in posts. We have safeguards in place to ensure that those requests cannot target hosts within the server’s private network. Receiving a GET request to a ‘canary token’ does not mean there is a vulnerability.

Please feel free to direct the researcher to our official HackerOne programme. Our policy covers this kind of report:

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.