- Status Closed
-
Assigned To
cbay - Private
Opened by master_mind - 12.06.2025
Last edited by cbay - 12.06.2025
FS#182 - Server-Side Request Forgery (SSRF)
Summary
During a security assessment of the api.alwaysdata.com API, a Server-Side Request Forgery (SSRF) vulnerability was identified in the GET /v1/site/doc/?9detl8s0ik=1 endpoint. This vulnerability allows an attacker to manipulate internal server requests and potentially interact with internal services that should not be exposed to the public. _
Vulnerability Details:
Endpoint: GET /v1/site/doc/?9detl8s0ik=1
Host: api.alwaysdata.com
Vulnerability Type: Server-Side Request Forgery (SSRF)
Severity: High
request: GET /v1/site/doc/?9detl8s0ik=1 HTTP/1.1 Host: api.alwaysdata.com Accept-Encoding: gzip, deflate, br Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36 Connection: close Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Referer: https://api.alwaysdata.com/doc/ X-Forwarded-Host: cgwz6v1c70kcuf3j0gbyvkb38uel2fq4.oastify.com X-Host: cgwz6v1c70kcuf3j0gbyvkb38uel2fq4.oastify.com X-Forwarded-Server: cgwz6v1c70kcuf3j0gbyvkb38uel2fq4.oastify.com
response: HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 ... <a href="https://cgwz6v1c70kcuf3j0gbyvkb38uel2fq4.oastify.com/v1/site">https://cgwz6v1c70kcuf3j0gbyvkb38uel2fq4.oastify.com/v1/site</a> ...
Impact
The application is processing the values of X-Forwarded-Host and related headers without proper validation or sanitization. This allows an attacker to manipulate server requests and potentially:
- Access internal services.
- Bypass IP restrictions.
- Enumerate internal infrastructure.
- Perform further attacks like internal port scanning or exploiting internal APIs.
Proof of Concept (PoC) By setting the X-Forwarded-Host header to a Burp Collaborator or OAST domain, I was able to confirm that the server included this manipulated domain in its internal requests and reflected it in the response.
Example: X-Forwarded-Host: cgwz6v1c70kcuf3j0gbyvkb38uel2fq4.oastify.com
The response included: <a href="https://cgwz6v1c70kcuf3j0gbyvkb38uel2fq4.oastify.com/v1/site">...</a>
This confirms the application made a server-side request using the attacker-controlled input.
Recommendations:
- Do not trust client-supplied headers such as X-Forwarded-Host, X-Host, and X-Forwarded-Server.
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task
Hello,
That's not true, the application does not make any request.
Kind regards,
Cyril
Once the link is accessed, the request will be automatically sent.
I have prepared a proof of concept including screenshots and a video, but I can't to upload them.
any updates?
You can host your screenshots/videos anywhere you want, e.g. on your alwaysdata account, and post links here.
1.https://https://drive.google.com/file/d/1b_FgI7Df8fx77-rqTbiwC5NMMVBBBawp/view?usp=sharing
2.https://https://drive.google.com/file/d/1E4CBa73O6jJw9vL0sC3nrPrRMDA3C54n/view?usp=sharing
3.https://https://drive.google.com/file/d/1281Epj8yr0Glmg1OoK0KQiH5IWxoB_-1/view?usp=sharing
We can also consider this vulnerability as HTML Injection without user interaction, since we can modify the link to a malicious one. When the user clicks on it, they will be redirected to a suspicious or malicious page
As I said, our application does not make any request, and none of your screenshots/videos shows that it does.
Obviously, if you click on it, it does make a request, but since you cannot modify a victim's page, there's no vulnerability.
if what you say right then we can consider this to html injection