How I Uncovered an SSRF Vulnerability in a Private HackerOne Program

Hello guys it’s been a while I write a new article.I’ve been caught up with quite a few things.

Today I came to show how I found a valid ssrf vulnerability on a private hackerone program.

So i was testing the features of the website manually. So the target was a e-commerce website, it had an account creating feature. I created an account with my testing email. After creating and verifying the account I tried to see the password reset feature and tried to reset the password. I got the password reset link.

https://links.target.com/f/a/hbWgoLfLuGxBcLkUS6i2Dw~~/AAQRxQA~/RgRpDhwZP4QKA2h0dHBzOi8vd3d3LmNoZWdnLmNvbS9wYXNzd29yZC1yZXNldD90b2tlbj1yc3B3fElCV3VIQ1dhZmVoc1lmb01ac0hyRTVsQzg4Q2ZpaEFwZXlQakh5MkhjWTFMbUVrbktFeWVxczcxZkZrVG4wVWRuTkp2Yy9IWFFaanpWOFZHeG1IRlJ5cjU4Mm1MeUJxZldqK3hoNXl6Snd0WEhCU1VDUTFibmF0K3JxMVNIODIyV2RBYlhvTFlwU3NMTTg0OThHZ2xFclNxaEsyWEFoQmNncm9DaDRhcEcyQzhwQ2FzaTY4cWtiRFN2NWZTN2p2WW5TY1FYVmV1N2RLbHhzck93RmErWTVNckZob2VZQlU4ZFBwMllvMGRVNmxIcFJJVGoyek1ETjBlL21tcUZXRCs4Um5meHJSWVZVU2xDeEZPVzM2U3djaXFDNHlqQ3FpWENsSnJkWWVsTlFFd256dURHMXAyU1IvTGNYZ1VyNmJjTkVqOFNaNm96eDVERitBSGo5USsrcnJDZjBqVktzeGxZRmhlVkJ1NWxPWjFQNDd3aW9XVFIwTmI0T3g5ZTdvM0lNbVE5cnVBbVBWdmR0RnNJRkFheTYxYzIwVkU3SndDcnZVRHRpRFpJVE52aUZnZTgyK0RqbHBGdmV6VFpPOFo3dFdWM0NYUGEzeU41dVh1eGRUVmhkd29OSHp1MDBIN0YxeTdZVmRpcGRPcFlnUWx3d0xaUTFiWW9TWXUvcEdNZ3B3eG1FRTRTL04yNXVVL0dCOXlXNUpaQXlKRUJYMGlpazhkb1J3Vk5QaVRJenFwaUJHNU5LNGlsNG1EQjJHRzczNFo0SzI4S09LS3VtbmYvRFVTSEhLRnIzUkxBTzJtZW00L1JNZjc0SU1PdmpLaERhd0VVUlgvY0JUL1k0Vm9KUEpIVEFRaHRkSjIwVWRmWC9QbHZ2UVU3VElBSllqZFFxYXhLV2VybGdzPSZyZWRpcmVjdD1odHRwcyUzQSUyRiUyRnd3dy5tYXRod2F5LmNvbSUyRmF1dGhXA3NwY0IKZxMZlytnCQwrElITeWJybzQ0MjQwQGdtYWlsLmNvbVgEAAAAp

After clicking the password reset link from the email I was taken into the password reseting page of the target website. I checked the url of the page and found something suspicious about the end, their was a parameter called “redirection=”.

I immediately put https://evil.com on the redirection parameter and put the new password on the page and submitted.

I WAS TAKEN IN INTO EVIL.COM!!!!!

I confirmed the parameters called redirection is vulnerable to open redirect.

For adding more impact I thought to test for SSRF on the same vulnerable parameter. I started my burp suite and copied the burp collaborator link and pasted on the redirection parameter, but the website was not accepting and went as some error.

I again done another password reset request and and clicking the link i went to the page with redirection parameter then I put the payload https:collaborator.link and added the new password and submitted the request.

I WAS TAKEN TO THE COLLABORATOR LINK AND I GOT THE OUTPUT ON THE COLLABORATOR IN HTTPS.

THE REPORT WAS ACCEPTED QUICKLY

I WAS ADDED TO THE HALL OF FAME AND GOT 7 REPUTATION POINTS FOR SUBMITTING THIS VULNERABILITY….

This was my first valid SSRF so I thought to create a writeup on this. Thanks🙂……..

#BugBountyIndia #IndianHackers #CyberSecurityIndia #BugBountyHunter #HackerOneIndia #InfoSecIndia #SSRFVulnerability #AppSecIndia #EthicalHackingIndia #WebSecurityIndia #SecurityResearcher #CyberSecCommunityIndia #BugBountyTips #PentestingIndia #RedTeamIndia #HackersOfIndia #ResponsibleDisclosure #IndianSecurityCommunity #TechSecurityIndia #CyberSecurityAwareness #HackingTips #VulnerabilityHunting #BugBountyLifeIndia #HackThePlanetIndia #WebAppSec #IndianBugHunters #SecurityTestingIndia #OffensiveSecurityIndia #CTFIndia #CyberAwarenessIndia #InfoSec #EthicalHacking #CyberSecurity #WebSecurity #AppSec #BugBountyTips #WebAppSec #RedTeam #PenTesting #HackerLife