My First Bounty And SSRF
Hello peoples, I’m Muhammad Julfikar Hyder from Bangladesh, back again with my first bounty story today. You can also read my previous blog on how I hacked LINE’s bucket here.
It was 9/24/2019. I was a newbie at bug bounty hunting, and I’m still a newbie there! Whatever, let’s enter the story.
Today I’ll talk about the SSRF vulnerability. Let’s know what SSRF is. Server-side request forgery (also known as SSRF) is a web security vulnerability that allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain of the attacker’s choosing.
Okay, when I first started hacking, I liked to test random websites to improve my skills because I wasn’t yet proficient enough to test on a platformed website. For my testing, I used a well-known Bangladeshi eCommerce website. I just started and got a request like this.
The request is calling another cross-domain data source with the ‘src’ parameter! Hmm..!!! I just changed the URL and don’t understand what happened! Then, on my previously random-shelled domain, I created an.php file with the JavaScript contents “<script>alert(document.domain)</script>.” I replaced the URL with the JavaScript URL, and the request was like this:
I became very strange! It was working! The response was like this!
The request was to load files from third party domains!
Then I began to wonder, “What can I do more of?” Because I had no IP logger, I could check the SSRF clearly! I fired up My Little Buddy Command Prompt and took the IP of my target domain with the command ‘ping targetsite.com.
I again changed the request to this:
I changed the URL with Iplocation and got the domain’s IP in the response!
SSRF has been confirmed yet again!
The site had no bug bounty program, but I reported them politely, and they awarded me a 5-digit bounty, which was unexpected from a random and non bounty provider company!
“About the author: Muhammad Julfikar Hyder is a bug bounty hunter and cybersecurity enthusiast. You can follow them on Twitter at @thejulfikar for more security tips and updates on their latest findings.”
