User Profile with SSTI and SSRF Bugs #655
Conversation
ghost
assigned 
|
So the one liner payload of |
|
👍 Nice! I've tried to come up with a good scenario for a SSRF... But nothing really comes to my mind. We are simply missing the large "internal juice-shop company" network 😉 The SSTI => RCE is a bit easier. The problems with RCE is that if you have the RCE you basically own the server. So we really can' ask the user to do anything he/she could not do via the other RCE vulns. (Please tell me if this assumption is wrong) .... Ok while writing this i had a (hopefully) interesting idea which would work for both challenges. SSTI Challenge: Download and execute this malware [link to malware] on the server or decompile the malware and find a way to reproduce what it does. This provides a link to a compiled malware executable which simply makes a request to the juice-shop (new hidden endpoint, So the malware sends the request to the endpoint the endpoint checks where the request is coming from and only response from local requests. So there are two ways to solve this:
This is still a pretty raw idea. And there a a couple of problems, which come to my mind.
Sorry for the long text i hope it was kind of clear what i meant with all of that 😅 |
|
Okay other than the craziness, also some generall things about this:
|
|
Very Very nice idea tbh @J12934 . I really like the malware idea. Only problem you mentioned is checking from where request came right? We can solve that with the User-Agent header .. we will just allow the header of npm package |
|
So SSRF challenge only gets solved this way @J12934 ? |
|
I am so excited to implement this .. I will need guidance on how to design that malware binary so that its platform independent. |
|
I love the malware idea, since this is something I was thinking to implement as well, since I need it for a demo. I was looking at the profile page, but I've also considered adding images to product details comments. The goal was to find a way to do either RCE or code injection from images EXIF tags. The problem is that for user profile EXIF is not really relevant, while for images added to comments we might be interested to display timestamp, geolocation or similar. The question was more towards where that info should be read: server or client side. And this might solve the cross platform malicious file. The only problem is that it should be a nice story around it:
|
|
@georgeprichici that sounds exiting! |
|
@CaptainFreak UserAgent would at least be another hurel so that is isnt to easy on a local setup. But the user could obviously just set the UserAgent in the request him/herself... |
|
In that case he will have to guess that ? Atleast for request package's user agent. We can send something unique with request to identify.... |
| c-0.605,1.881-1.478,3.674-2.632,5.304c-0.291,0.411-0.563,0.759-0.801,1.03V38.8c0,1.223,0.691,2.342,1.785,2.888l8.467,4.233 | ||
| c0.508,0.254,0.967,0.575,1.39,0.932c5.71-4.762,9.399-11.882,9.536-19.9C53.246,12.32,41.587,0.254,26.953,0.004z"/> | ||
| </g> | ||
| <g> |
There was a problem hiding this comment.
These gs look like a bit too much 😉
routes/fileUpload.js
Outdated
| entry.autodrain() | ||
| } | ||
| }) | ||
| if (file === undefined && req.body.imageUrl !== undefined) { |
There was a problem hiding this comment.
I think we should move this new functionality into a new endpoint, instead of reusing the existing file-upload.
The file upload handler is already pretty messy.
There was a problem hiding this comment.
I would actually create two new endpoints.
- for the "Upload by URL". Something like:
POST /profile/image/url - for the "Upload by File". Something like:
POST /profile/image/file
|
I merged |
|
@CaptainFreak @J12934 PR #655 is now reopened onto |
|
Alternatively, you can also move both challenges into |
(got merged in the wrong way)
|
Okay will try to implement the tests tomorrow 😉 |
|
Before German OWASP Day, so 1st November is my latest "merge-to-master"-goal. |
As the profile page doesnt exists outside the angular router, `routerLink` cannot be used to link to it.
This reverts commit 13a3dfd.
|
Only API tests are remaining right @J12934 ? @bkimminich do you need anything else to be added for merge ? |
That is still missing, right? That seems more important to me than the API tests. Currently most API tests are failing with |
|
Hey @bkimminich @J12934 Can you give me a to-do on this ? for sandboxing. |
|
Hi @CaptainFreak I'd say there are to ways to do it:
|
|
There now is a |
|
This thread has been automatically locked because it has not had recent activity after it was closed. 🔒 Please open a new issue for regressions or related bugs. |
/profileis a new server side rendered page withjadetemplate engine. It has functionality of Submitting and changing Username, Email and Profile Picture (From URL/Computer). Username field contains standard SSTI Bug and URL field contains SSRF Bug. The scenario for these challenges is yet to be decided.