First of describing how i was able to find this bug, i would prefer to introduce the SSRF\/XSPA Vulnerability.<\/p>\n
An application is vulnerable to Cross Site Port Attacks if the application processes user supplied URLs and does not verify\/sanitize the backend response received from remote servers before sending it back to the client. An attacker can send crafted queries to a vulnerable web application to proxy attacks to external Internet facing servers, intranet devices and the web server itself using the advertised functionality of the vulnerable web application. The responses, in certain cases, can be studied to identify service availability (port status, banners etc.) and even fetch data from remote services in unconventional ways.XSPA allows attackers to target the server <\/p>\n
infrastructure, mostly the intranet of the web server, the web server itself and any public Internet facing server as well. This Vulnerability can be used for:
\n1) Port Scanning remote Internet facing servers, intranet devices and the local web server itself. Banner grabbing is also possible in some cases.
\n2) Exploiting vulnerable programs running on the Intranet or on the local web server
\n3) Fingerprinting intranet web applications using standard application default files & behavior
\n4) Attacking internal\/external web applications that are vulnerable to GET parameter based vulnerabilities (SQLi via URL, parameter manipulation etc.)
\n5) Reading local web server files using the file:\/\/\/ protocol handler.<\/p>\n
In this blogpost i’m describing how i used the Yahoo! Server to portscan a remote host to see if a port is in open,filtered or closed state.This is the Bug Report i sent to Yahoo! Security.<\/p>\n
I’ve found a SSRF in http:\/\/add.yahoo.com<\/a> connect: Connection refused” telling us that the port is closed. Request Timeout” Now the bug has been fixed.To write this blogpost I referred to this<\/a> article which is in my opinion one of the best tutorial on SSRF\/XSPA Vulnerability.<\/p>\n This is the Video PoC:<\/p>\n
\nThese are the steps to reproduce the issue:
\n1)Go to http:\/\/dir.yahoo.com\/recreation\/games\/video_games\/titles\/action\/<\/a>
\n2)Now click on the “Suggest a Site” button and subsequently click on the “Standard Consideration”
\n3)Now click on the “Continue” button
\nNow in this page we have to fill in 4 forms.In the “Site Title” i’ve inserted ‘asdf’ as value
\nNow in the “Security Email ID” and “Contact Person” forms we have to insert values of our choice.
\nNow in the “URL” form we have to insert the target site to see if a certain port is in state filtered,open or closed
\nLet’s suppose that the port 20 of www.targeturl.com<\/a> is closed,so in the “URL” form we have to insert “http:\/\/www.targeturl.com:20<\/a>”
\nNow that we have filled in all the form values we have to click on the “Submit” button.Now we will receive an error like this “The following resulted when trying to access your document:<\/p>\n
\nLet’s suppose that the port 23 of www.targeturl.com<\/a> is filtered,so in the “URL” form we have to insert “http:\/\/www.targeturl.com:23<\/a>”
\nif the port is filtered we will receive the following message “The following resulted when trying to access your document:<\/p>\n
\nLet’s suppose that the port 21 of www.targeturl.com<\/a> is open,so in the “URL” form we have to insert “http:\/\/www.targeturl.com:21<\/a>”
\nIf the port is open we will receive the following message “Document contains no data”.Based on these three errors we can understand if a port of a remote host is open,filtered or closed.<\/p>\n