Security vulnerabilities

  • Status Closed
  • Assigned To No-one
  • Private
Attached to Project: Security vulnerabilities
Opened by grycolor - 16.01.2024
Last edited by cbay - 18.01.2024

FS#14 - Potential SSRF Vulnerability via Self-XSS

Description:

During a penetration testing process, I discovered a Self-XSS vulnerability on the page https://https://admin.alwaysdata.com/site/resolver/. This vulnerability has the potential to escalate into a Server-Side Request Forgery (SSRF) attack, allowing attackers to make unauthorized requests from the server. This poses risks such as data breaches and potential compromise of internal systems.

While the initial exploitation may require self-XSS, the underlying issue of unvalidated user input leading to SSRF is a critical vulnerability that must be addressed.

Steps To Reproduce:

Step 1 : Open BurpSuite.

Step 2 : Navigate to the following link in a web browser https://admin.alwaysdata.com/site/resolver/ Capture the traffic.Paste the payloads into the intercepted Request Body.

Payload 1:

{"addresses":["<script>alert(document.domain);</script>"]}

  (This payload triggers an alert displaying the value of document.domain.)

Payload 2:

{"addresses":["<img src=http://ox7dn3y4fsbqfkyzmmb5alv7i.odiss.eu/>"]}

  (This payload makes unauthorized requests from the server.)

The second payload initiates unauthorized requests from the server. In the above payloads, I utilized OAST to examine the responses.

Impact:

Attackers could steal sensitive information stored on the server.
By crafting malicious URLs, attackers could gain access to internal network resources that are not publicly accessible.

Closed by  cbay
18.01.2024 08:40
Reason for closing:  Invalid
Admin
cbay commented on 16.01.2024 08:31

Hello,

Regarding "payload 1": if you manually modify the requests or responses body, well of course you can manipulate the code to do whatever you want on your browser. That's a Self-XSS, which is not a technical vulnerability. You cannot exploit anything with that.

Regarding "payload 2": the whole point of that endpoint (https://admin.alwaysdata.com/site/resolver/) is to do a DNS resolution on the addresses specified. There's no security issue in resolving addresses, even bad ones that you do control. You cannot steal anything or gain access to anything.

Kind regards,
Cyril

Loading...

Available keyboard shortcuts

Tasklist

Task Details

Task Editing