Esse Esse Erre Effe

Esse Esse Erre Effe stand for the portuguese pronunciation of SSRF. It's a simple SSRF using a redirect to bypass filters and extract metadata from them cloud infrastructure.

Approaching the app

The application allows the user to input a url to a website and returns the response inside a json afterwards.

If we try to access the api ip directly the app denies to retrieve the data.

The exploit

We can try to retrieve data by making the server send us a request and then redirect it to cloud api via an http Location header.

One could simply server the following php code:

<?php
header("Location: http://169.254.169.254/metadata/v1.json");

And point the ssrf request to the controled server, to retrieve the metadata.

And the flag is retrieved among the metadata :0

PreviousSecret Notes NextFresca Soda

Last updated 2 years ago