- Status Closed
- Assigned To No-one
- Private
Opened by grycolor - 16.01.2024
Last edited by cbay - 18.01.2024
FS#14 - Potential SSRF Vulnerability via Self-XSS
Description:
During a penetration testing process, I discovered a Self-XSS vulnerability on the page https://https://admin.alwaysdata.com/site/resolver/. This vulnerability has the potential to escalate into a Server-Side Request Forgery (SSRF) attack, allowing attackers to make unauthorized requests from the server. This poses risks such as data breaches and potential compromise of internal systems.
While the initial exploitation may require self-XSS, the underlying issue of unvalidated user input leading to SSRF is a critical vulnerability that must be addressed.
Steps To Reproduce:
Step 1 : Open BurpSuite.
Step 2 : Navigate to the following link in a web browser https://admin.alwaysdata.com/site/resolver/ Capture the traffic.Paste the payloads into the intercepted Request Body.
Payload 1:
{"addresses":["<script>alert(document.domain);</script>"]}
(This payload triggers an alert displaying the value of document.domain.)
Payload 2:
{"addresses":["<img src=http://ox7dn3y4fsbqfkyzmmb5alv7i.odiss.eu/>"]}
(This payload makes unauthorized requests from the server.)
The second payload initiates unauthorized requests from the server. In the above payloads, I utilized OAST to examine the responses.
Impact:
Attackers could steal sensitive information stored on the server.
By crafting malicious URLs, attackers could gain access to internal network resources that are not publicly accessible.
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task
Hello,
Regarding "payload 1": if you manually modify the requests or responses body, well of course you can manipulate the code to do whatever you want on your browser. That's a Self-XSS, which is not a technical vulnerability. You cannot exploit anything with that.
Regarding "payload 2": the whole point of that endpoint (https://admin.alwaysdata.com/site/resolver/) is to do a DNS resolution on the addresses specified. There's no security issue in resolving addresses, even bad ones that you do control. You cannot steal anything or gain access to anything.
Kind regards,
Cyril