SSRF Vulnerability in HiTranslate: A Technical Breakdown

Server-side Request Forgery (SSRF) is a security vulnerability that allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain chosen by the attacker. This article details the discovery, exploitation, and mitigation of an SSRF vulnerability in the HiTranslate application, a popular app used to translate text between different languages.

HiTranslate features a functionality that loads URLs within a WebView, accessed via a proxy endpoint:

The URL parameter is intended to specify the destination URL to be loaded. However, it was discovered that this parameter is vulnerable to SSRF attacks, allowing attackers to manipulate the URL to perform unintended server-side requests.

To test for SSRF, a Burp Collaborator URL was sent in the URL parameter. This URL is designed to notify when it is accessed, providing proof of the vulnerability. Upon sending the request:

A callback was received from an IP address belonging to Alibaba Cloud, indicating that the server made a request to the Burp Collaborator URL.

The next step involved exploiting the SSRF to access Alibaba Cloud metadata, which can contain sensitive information such as security credentials. Alibaba Cloud metadata is accessible at:

By crafting the following request, the metadata was successfully fetched:

The response contained valuable metadata information, including security credentials.

Using the SSRF vulnerability, security credentials stored in Alibaba Cloud metadata were extracted, demonstrating the potential severity of the vulnerability. The extracted credentials could potentially allow unauthorized access to cloud resources, leading to further compromise.

The TECNO team responded promptly to the reported vulnerability by blocking direct IP access. This means that URLs containing IP addresses were no longer processed by the proxy, thus preventing direct access to internal network resources like the metadata endpoint.

Despite the initial fix, a bypass was identified using the service provided by nip.io, which allows mapping custom domain names to IP addresses. This service translates domain names to specified IP addresses, enabling the following bypass:

Using nip.io, a custom domain was created to map to the internal Alibaba Cloud metadata IP address:

http://hello-646464c8.nip.io

This domain resolves to:

http://100.100.100.200/

By sending the request with the nip.io mapped domain, the internal metadata endpoint was successfully accessed again, bypassing the direct IP block:

This demonstrated that the fix could be circumvented, highlighting the need for more robust solutions.

To effectively prevent SSRF vulnerabilities, several best practices and mitigation strategies should be implemented:

Allowlist Approach: Implement strict allowlisting of acceptable domains. Only permit URLs that are known and trusted.Denylist Approach: Use a denylist to block known malicious domains, though this is less effective due to the ease of bypassing with new domains.

Segregate internal and external network resources to minimize the risk of SSRF attacks accessing sensitive internal services.

Restrict access to cloud metadata services. Many cloud providers offer configuration options to disable or limit metadata service access from instances.

Ensure the proxy only forwards requests to a restricted set of domains.Avoid resolving custom domains to internal IP addresses by verifying that resolved IPs belong to trusted networks.

Implement WAFs to detect and block malicious traffic patterns indicative of SSRF attacks.

Conduct regular security audits and penetration testing to identify and mitigate potential vulnerabilities before they can be exploited.

Security researchers can employ various methods to detect SSRF vulnerabilities during security assessments:

Utilize automated tools to fuzz URL parameters with different payloads to identify potential SSRF points.

Monitor outbound network requests made by the application for unusual or unauthorized destinations.

Use services like Burp Collaborator to track and confirm whether external requests are being made by the application.

Perform code reviews to identify unvalidated URL inputs or improper handling of external requests.

The SSRF vulnerability discovered in HiTranslate highlights the importance of securing applications that interact with external URLs. By understanding the mechanics of SSRF, implementing robust defenses, and staying vigilant through continuous testing and monitoring, organizations can protect their applications from such critical vulnerabilities. The lessons learned from this case study serve as a valuable guide for developers and security professionals aiming to fortify their applications against SSRF attacks.