HTML injection to SSRF

Hey Guys! 
Last night I had posted about HTML injection to SSRF and some of fellow researchers disagreed to my post that either its from your localhost or its a client based request forgery means my browser is responsible for the response. you can see the below Screenshot that was my question and the poc of getting the response from the cloud server of the program.
So this was my question and I provided the screenshot as a poc but again some of fellow researchers said its coming from either your localhost or browser side. But to let you know its not coming from my browser and the program is using Cloudinary service as you can notice from the user agent its Cloudinary 1.0. So the whole scenario was like when I was putting <img src=”http://myip:port”> in the text editor and there are four options.
1: help
2: markdown
3: Preview
4: save post
so before clicking on one of these we need to start netcat to listen on the given port in order to get a back response.
in terminal write: nc -nlvp 1111 note 1111 is my port number you need to change it according to your open port.
Now as netcat is listening you need to click on preview option in few seconds you will get a back response in your terminal I’ll attach a Video as a POC.
Most of you might have a question in mind that whats the logic/reason behind this? Well to be honest my teammate n i dig more and came to know that the application itself was not vulnerable but instead it was using any function to pass the value to their cloud service and the response we got was from their cloud server. Since cloudinary uses fetching function so because of the fetching function we were getting response well the weird thing is here that in the editor we were writing html tag and it was passing to their cloud server. I believe that its a rare case but surely its possible to turn html injection into ssrf luckily you will find any vulnerable application itself like this one but instead of passing the value to their cloud server it would render within the application itself. I’ll do more research on this if I get success I’ll do another writeup but if you get success within the application itself then do a writeup and do let me know :)

PoC :

 Credits for the blog : 00x0code


Popular posts from this blog