How i found 3 SSRF in one day on different bug bounty targets.

4 years ago 164

BOOK THIS SPACE FOR AD

ARTICLE AD

Hey guys!,

My name is damanpreet singh. This is my first write-up, so please forgive me for my mistakes. So, lets start:

I started bug bounties after about a year. I was only learning, still i am learning. So, some days ago i thought , now i should start to looking for bugs. So, on 21 august, i chose some bounty targets, and started hunting. Now lets talk about those 3 ssrf’s one by one.

lets assume target as target.com , that target was for shopping gift cards etc. So, i signed up , they were sending a 6 digit otp for verification. I tried rate limiting for brute forcing otp, but no success. but i got no rate limiting on sending unlimited otps.

Then i uploaded profile picture, after uploading, i tried to delete it to know, if its still stored on their server or not, or if i could delete someone else’s picture or not. I got no success there, they were properly removing deleted picture from there server, also there was no idor in deleting pictures.

Image for post

i was like

After it, i checked my proxy history, there was some requests like:

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

POST /user/dashboard/profile HTTP/1.1
Host: target.com
Connection: close
Content-Length: 132
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Origin: https://target.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://target.com/signin
Cookie: xxxxxxxxxxxxxxxxx

[{“userid”:”21452",”imgurl”:”https://api.target.com/images/profiles/MjE0NTI=","type":"jpeg"}]

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

they were fetching profile pictures from their api, i changed “imgurl” parameter value to my burp collaborator client , but i got response as “There is an error while fetching this image, please try again” . also i got some requests on my collaborators.

Image for post