This is a short article describing a critical vulnerability I recently found in one of India’s top travel booking website. Quick info: 💡 SSRF allows an attacker to induce the server-side application to make requests to an unintended location. 💡 It is common when testing for SSRF vulnerabilities to observe a DNS look-up for the supplied attacker-controlled domain, but no subsequent HTTP request. Many production networks allow free egress of DNS queries, because they are essential for the normal operation of production systems. The application attempts to make an HTTP request to the domain, which causes the initial DNS lookup, but the actual HTTP request is blocked by network-level filtering. 💡Access Keys allow programmatic calls to AWS or to use the AWS Command Line Interface or AWS Tools for PowerShell. 💡AWS metadata service is always hosted at 169.254.169.254, port 80. Moving on.. While testing one of the endpoints, I found Apache Mod_Proxy SSRF (CVE-2021-40438)...
Cyber Security Articles