Mas Zet Profile picture
Sep 20 6 tweets 4 min read
SSRF Story | Scan The Network

1. Found SSRF and get Cloud Metadata.
2. Common high risk with disclosed cloud metadata is about security credential, but not found at this point :(
3. Found the instance public IP in latest/meta-data/public-ipv4, access the IP and got 404 response
4. Nmap the IP, nmap identified the server was located in Vultr cloud provider with open port 22,53,80 and 443.
5. Trying to get more exposure with SSRF with scan all port.
6. Amazed, got some firewalled port, port 8080 was run the Traefik application.
7. Found the Traefik API documentation, and trying to reach the every single endpoint but still got 404 response (?). Until get the information from the version endpoint that identified running version is v1.7.4, the reason that why API was different from the latest API doc.
8. Go to Traefik repo and select 1.7.4 branch version to get API resources, apparently the API call can be performed without authentication!
9. API Security introduced in 2.0 version.
10. Access the API endpoint through SSRF, and got very juicy information about infrastructure host application.
11. This information bring to the right path without having tired of guessing the internal network interfaces.
12. Now i can visit every single host and identifying more security hole possibilities.
13. Maybe i can start with graphql introspection, check the open-source based apps, or even with leaked source code price based apps.
14. Have fun!

#ssrf

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Mas Zet

Mas Zet Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(