alwaysdata All Projects: Tasklist

	ID	Status	Summary	Opened by
	~~263~~	Closed	~~Unauthenticated XML-RPC Pingback Leads to Server-Side R~~ ...	vishal_jadhav	Task Description Summary: The application exposes the XML-RPC endpoint with the pingback.ping method enabled and accessible without authentication. This allows an unauthenticated attacker to supply an arbitrary external URL, causing the server to initiate outbound network requests. This behavior was confirmed via an out-of-band DNS interaction using a controlled Burp Collaborator (OAST) domain, demonstrating a Server-Side Request Forgery (SSRF) condition. Severity: High Affected Component: •URL: https://blog.alwaysdata.com/xmlrpc.php •Protocol: XML-RPC •Authentication: Not required Vulnerability Type: •Server-Side Request Forgery (SSRF) •XML-RPC Pingback Abuse Description: The XML-RPC interface allows the pingback.ping method to be invoked without authentication. By providing a specially crafted request containing an attacker-controlled URL, the server performs a DNS resolution and attempts to connect to the supplied domain. This behavior enables an attacker to coerce the server into making arbitrary outbound requests, which is the core condition of SSRF. The issue was validated by observing a DNS lookup from the target server to a Burp Collaborator domain, confirming that the request originated from the vulnerable server itself. Steps to reproduce: 1] Capture the request of this url in burp suite and send it to repeater https://blog.alwaysdata.com/xmlrpc.php 2] add this injection in the burp suite repeater (add your own collaborator link) <methodCall> <methodName>pingback.ping</methodName> <params> <param> <value> <string>http://collaborator_link</string> </value> </param> <param><value><string>https://blog.alwaysdata.com/xmlrpc.php</string></value></param> </params> </methodCall> 3]Observe Out-of-Band Interaction The Burp Collaborator server records a DNS lookup originating from the target server: •Interaction Type: DNS •Source IP: 185.31.40.97 •And other info This confirms that the target server processed the supplied URL and initiated a server-side network request. Impact: An attacker can abuse this vulnerability to: •Force the server to make arbitrary outbound network requests •Perform internal network reconnaissance (SSRF scanning) •Bypass firewall and IP-based access controls •Leak internal infrastructure behavior •Abuse the server for reflected or indirect denial-of-service (DDoS) attacks In certain environments, this may allow access to internal services not exposed to the public internet, increasing the risk of further compromise. Mitigation: • Disable XML-RPC entirely if not required • Disable the pingback.ping method specifically • Restrict XML-RPC access to trusted IPs only • Validate and allowlist outbound URLs • Block arbitrary outbound DNS and HTTP requests from the application server Regards, Vishal Sanjay Jadhav. Ethical Hacker & Cyber Security Analyst. vp666159@gmail.com

~~263~~

Closed

~~Unauthenticated XML-RPC Pingback Leads to Server-Side R~~ ...

Task Description

Summary: The application exposes the XML-RPC endpoint with the pingback.ping method enabled and accessible without authentication. This allows an unauthenticated attacker to supply an arbitrary external URL, causing the server to initiate outbound network requests.
This behavior was confirmed via an out-of-band DNS interaction using a controlled Burp Collaborator (OAST) domain, demonstrating a Server-Side Request Forgery (SSRF) condition.
Severity: High
Affected Component: •URL: https://blog.alwaysdata.com/xmlrpc.php
•Protocol: XML-RPC •Authentication: Not required
Vulnerability Type: •Server-Side Request Forgery (SSRF)
•XML-RPC Pingback Abuse
Description: The XML-RPC interface allows the pingback.ping method to be invoked without authentication. By providing a specially crafted request containing an attacker-controlled URL, the server performs a DNS resolution and attempts to connect to the supplied domain.
This behavior enables an attacker to coerce the server into making arbitrary outbound requests, which is the core condition of SSRF.
The issue was validated by observing a DNS lookup from the target server to a Burp Collaborator domain, confirming that the request originated from the vulnerable server itself.

Steps to reproduce: 1] Capture the request of this url in burp suite and send it to repeater
https://blog.alwaysdata.com/xmlrpc.php

2] add this injection in the burp suite repeater (add your own collaborator link)
<methodCall>

<methodName>pingback.ping</methodName>
<params>

<param>
<value>
<string>http://collaborator_link</string>
</value>
</param>

  <param><value><string>https://blog.alwaysdata.com/xmlrpc.php</string></value></param>
</params>

</methodCall>

3]Observe Out-of-Band Interaction
The Burp Collaborator server records a DNS lookup originating from the target server:
•Interaction Type: DNS
•Source IP: 185.31.40.97
•And other info
This confirms that the target server processed the supplied URL and initiated a server-side network request.

Impact: An attacker can abuse this vulnerability to:
•Force the server to make arbitrary outbound network requests
•Perform internal network reconnaissance (SSRF scanning)
•Bypass firewall and IP-based access controls
•Leak internal infrastructure behavior
•Abuse the server for reflected or indirect denial-of-service (DDoS) attacks
In certain environments, this may allow access to internal services not exposed to the public internet, increasing the risk of further compromise.

Mitigation: • Disable XML-RPC entirely if not required
• Disable the pingback.ping method specifically
• Restrict XML-RPC access to trusted IPs only
• Validate and allowlist outbound URLs
• Block arbitrary outbound DNS and HTTP requests from the application server

Regards, Vishal Sanjay Jadhav.
Ethical Hacker & Cyber Security Analyst.
vp666159@gmail.com

Showing tasks 1 - 1 of 1 Page 1 of 1

All Projects

Available keyboard shortcuts

Tasklist

Task Details

Task Editing