Esse Esse Erre Effe
Esse Esse Erre Effe stand for the portuguese pronunciation of SSRF. It's a simple SSRF using a redirect to bypass filters and extract metadata from them cloud infrastructure.
Approaching the app
The application allows the user to input a url to a website and returns the response inside a json afterwards.
If we try to access the api ip directly the app denies to retrieve the data.
The exploit
We can try to retrieve data by making the server send us a request and then redirect it to cloud api via an http Location header.
One could simply server the following php code:
And point the ssrf request to the controled server, to retrieve the metadata.
And the flag is retrieved among the metadata :0
Last updated