GHSA-v8wj-f5c7-pvxf

Описание

Description

In Strapi latest version, at function Settings -> Webhooks, the application allows us to input a URL in order to create a Webook connection. However, we can input into this field the local domains such as localhost, 127.0.0.1, 0.0.0.0,.... in order to make the Application fetching into the internal itself, which causes the vulnerability Server - Side Request Forgery (SSRF).

Payloads

• http://127.0.0.1:80 -> The Port is not open
• http://127.0.0.1:1337 -> The Port which Strapi is running on

Steps to Reproduce

• First of all, let's input the URL http://127.0.0.1:80 into the URL field, and click "Save".

• Next, use the "Trigger" function and use Burp Suite to capture the request / response

• The server return request to http://127.0.0.1/ failed, reason: connect ECONNREFUSED 127.0.0.1:80, BECAUSE the Port 80 is not open, since we are running Strapi on Port 1337, let's change the URL we input above into http://127.0.0.1:1337

• Continue to click the "Trigger" function, use Burp to capture the request / response

• The server returns Method Not Allowed, which means that there actually is a Port 1337 running the machine.

PoC

Here is the Poc Video, please check:

https://drive.google.com/file/d/1EvVp9lMpYnGLmUyr16gQ_2RetI-GqYjV/view?usp=sharing

Impact

• If there is a real server running Strapi with many ports open, by using this SSRF vulnerability, the attacker can brute-force through all 65535 ports to know what ports are open.