search

surfedushare / surf-backend

SURF Catalog backend
0 stars 0 forks source link

External service interaction (HTTP) #20

Open sveeke opened 5 years ago

sveeke commented 5 years ago

It is possible to induce the application to perform server-side HTTP requests to arbitrary domains by modifying the HOST header value.

The payload qhbrdm23xln4g0zoujgrbilzbqhk5at3srie82x.burpcollaborator.net was submitted in the SSL SNI value and the HTTP Host header. The application performed an HTTP request to the specified domain.External service interaction arises when it is possible to induce an application to interact with an arbitrary external service, such as a web or mail server.

Affected URL:

https://surf.stg.mqd.me/

HTTP Request

GET / HTTP/1.1
Host: qhbrdm23xln4g0zoujgrbilzbqhk5at3srie82x.burpcollaborator.net
Pragma: no-cache
Cache-Control: no-cache, no-transform
Connection: close

Impact

The ability to send requests to other systems can allow the vulnerable server to be used as an attack proxy. By submitting suitable payloads, an attacker can cause the application server to attack other systems that it can interact with. This may include public third-party systems, internal systems within the same organization, or services available on the local loopback adapter of the application server itself. Depending on the network architecture, this may expose highly vulnerable internal services that are not otherwise accessible to external attackers.

Recommendation

The application should block the outgoing requests to random servers on the internet. The application code should also validate the Host header before executing the request.

YuriiDunaev commented 5 years ago

Is it a question for server administration?

mahesh-cybsec commented 5 years ago

My understanding is that the "host" parameter of the request is not automatically accessed by the web server. Rather, the application code may use the "host" parameter to access a remote resource. So this would be application issue, not server administration issue.

ggevorg commented 5 years ago

Host validation on https://surf.stg.mqd.me is configured according to the manual https://docs.djangoproject.com/en/2.1/topics/security/#host-header-validation. But the specificity of the implementation of this in Django is the Header validation applies when the code accesses the Header "Host" directly from request.META. If the code doesn't use Header, nothing happens.

abhinavmishra00 commented 5 years ago

Yes, this is correct. If the code does not uses the value of Host header in request to perform any action, it is safe. Though, during the pentest we were able to receive a HTTP/DNS request with the Host header that we provided. This suggests that the application might be accepting the header and performing a DNS request.

If the code does not uses the header value anywhere, this can be considered as fixed.

sveeke commented 5 years ago

@ggevorg can you check the following?

If the code does not uses the header value anywhere, this can be considered as fixed.

mahesh-cybsec commented 5 years ago

This code change/verification should be on the backend - the issue appears to be wrongly tagged as front-end. The HOST parameter is set by the attacker - the server backedn code needs to be reviewed to verify "if the code does not use the HOST header value anywhere".

sveeke commented 5 years ago

Okay, I'll move it to the other repo then. Probably my bad!