Add Blind SSRF Vulnerability

[preetkaran20]

Is your feature request related to a problem? Please describe. Blind SSRF is a very important vulnerability and it is currently not present in Owasp VulnerableApp. A good tutorial video on Blind SSRF is https://www.youtube.com/watch?v=AsPpxqIlTDU

Describe the solution you'd like Try finding the use-cases from other vulnerable applications and then add those to the VulnerableApp.

[preetkaran20]

Acceptance criteria:

1. Use-case finding
2. Backend API creation for Vulnerability.
3. UserInterface/Template creation for the Vulnerability.
4. Compatible with https://github.com/SasanLabs/VulnerableApp-facade schema design.

[preetkaran20]

@ehizman I was thinking again after our discussion, for the Blind SSRF, I think there is no need to depict anything as our target audience is scanners so let scanners find the issue. For human users, we will write the hint to explain the way to exploit it.

thoughts?

[ehizman]

Hmmm. That's okay for now @preetkaran20. However, in future we have to look for a way to have users interact with the vulnerability since part of our goal is to be a database where people can learn about vulnerabilities

[ehizman]

I will still proceed with checking those apps you mentioned in our dicussion. Let me see what they've got

[ehizman]

Thank you @preetkaran20

[ehizman]

Hello @preetkaran20. I checked the other vulnerable applications which we talked about. Interestingly none of them demonstrated the Blind SSRF vulnerability. However, I found something interesting called Time Based Injection for Blind Vulnerabilities. DVWA uses this to demonstrate Blind SQL Injection. What happens here is that the attacker waits to see how long the page takes to respond (since its a blind vulnerability and a generic response or no response is always returned). If it takes longer than usually then the attacker's query is successful.

[ehizman]

I also thought about another way. What if we setup a web server, Server X. We provide the domain of the Server X to the user who is trying to practice Blind SSRF. In Vulnerable App we extract the domain url and place it in the referrer header of the request. When the user sends the payload to Vulnerable App, if the request is successful, Server X is hit and a response is sent to Vulnerable App via a webhook. I am thinking this is similar to what is done using Burp Collaborator.

What do you think about these ideas?

[preetkaran20]

Hi @ehizman ,

For the Time based injection, yes we can go ahead with it. There can be multiple levels which we can implement like black listing approach etc. For the 2nd one, I think we don't need server instead we can put in hints or in description that they can use netcat command and see if vulnerable app is calling it and if it does then they can assume that they have cleared the level.

thanks, Karan