Hello there, my name is khaled Mohamed — xElkomy
What is the SSRF or Server Side Request Forgery?
In a Server-Side Request Forgery (SSRF) attack, the attacker can abuse functionality on the server to read or update internal resources. The attacker can supply or modify a URL which the code running on the server will read or submit data, and by carefully selecting the URLs, the attacker may be able to read server configuration such as AWS metadata, connect to internal services like HTTP enabled databases, or perform post requests towards internal services which are not intended to be exposed.
The above string about SSRF, it’s from OWASP, I’m not a fan of remaking the wheel from scratch for that I just copy the description from OWASP To here :).
Way back machine
The Wayback Machine is a digital archive of the World Wide Web. It was founded by the Internet Archive, a nonprofit library based in San Francisco, California. Created in 1996 and launched to the public in 2001, it allows the user to go “back in time” and see how websites looked in the past. Its founders, Brewster Kahle and Bruce Gilliat, developed the Wayback Machine to provide “universal access to all knowledge” by preserving archived copies of defunct web pages.
Let’s start, the scenario was about to make some of the recons on the XYZ program to find some bugs, the thing is when I begin my recon I do the following.
1 — Enumeration of the subdomains with subfinder.
2 — check the alive subdomains and gather the cnames to check if there is any subdomain takeover available.` Dig command and Httpx`
3— Test the subdomains with scanners like nuclei to scan some of the CVEs and some of the misconfigurations.
4 — Gather all the Wayback machines about my XYZ program.
5 — Start the manual scan with the previous step.
We will start here with the last step from the above words.
It’s was when I checked the way back machine with that URL.
And after scrolling on the page, I found a subdomain with an interesting name, after some manual search about bugs on that site I found an action to make a request with a URL parameter.
When I start to test that URL it was with Interact.sh
My first check was to know are the server works on Microsoft Azure or AWS or Google Cloud to try some internal IPs.
The first test was to make the URL to be like that
The Site response to me was to make my interact URL response to pdf.
I go back to https://app.interactsh.com/#/
- And I take the IP from the interact.sh dashboard and check the IP on that site
And Boo0m the IP from AWS after that directly I go to GitHub and open the PayloadsAllTheThings and get that folder.
I take that payload and check if the site allows me to print the internal content or resources or not.
The escalation found Secret token:-
After some prints on the pdf with http://169.254.169.254/latest/meta-data, I found the secret token and access token with that URL.
After That, I go to the Program page on the hackerone platform and Create a report.
In the Final, The Report was accepted as critical.
I hope you enjoyed that article if it was helpful to you make sure you follow me on
If you have any questions feel free to contact me on
Thank you to read.