Discovering an XML File Upload Vulnerability Lead to SSRF: My Bug Hunting Journey

Author: Javroot, Bug Hunter

In my continuous quest for identifying security vulnerabilities, I recently uncovered an intriguing XML file upload vulnerability in a web application. This vulnerability, when exploited, can lead to Blind Server-Side Request Forgery (SSRF). In this article, I’ll share the details of my discovery, the steps to exploit it, and how such vulnerabilities can be mitigated.

The web application allows users to upload XML files. However, it fails to properly validate and sanitize these files, leading to a Blind SSRF vulnerability. This vulnerability can allow an attacker to make arbitrary requests from the server, potentially accessing internal systems and sensitive data.

Blind SSRF occurs when an attacker can make the server send requests to an arbitrary URL but cannot directly see the response. This can still be exploited to gather information about internal services or perform other malicious actions.

after wild recon as sub enumeration on a target with subfinder with this command:

after find URLs with target and analysis function, I have found some endpoint access to me use XML for my body request as server, let's see👀 :

We can see my sample payload RCE Can't work.

Let step back and navigate to main page for any sample file or doc for reading and use syntax on this request.

I have tried RCE payload but don't work any time :(, but you can see this syntax have many URLs on an XML let to change URL on burp suite collaborator and see what happened ?

And we need to still waiting to get response on collaborator:

Finally, he worked:

Identifying and addressing SSRF vulnerabilities is crucial for maintaining the security of web applications. By understanding how these vulnerabilities can be exploited and taking proactive measures to mitigate them, we can protect sensitive data and internal services from unauthorized access.

References: