Blind SSRF exploitation

Hello,

CONDITION:
A web server have a 'Content fetch proxy serve’r which is programed to fetch user profile pic images from S3 bucket while saving image url but if I change the default url by my server Domain the content fetch proxy server try to fetch things from my server.

I can make Content fetch proxy server to fetch anything from open internet and my server.

I don’t see this as any security risk but, can I do anything with it by making it as Blind ssrf. (I can’t see any response on client side)

OR

Any suggestion please

Hi @Lethal.
Do you have access to the content fetched by the application? Because if it is used for changing the profile picture then I guess you can access the content.

yes, i can fetch only jpg files of specific size ,and that set on thumbnails .so basically i can fetch files and store it on main web app server.

Did you find any way to trick the application in fetching any file? Because sometimes you can get other files just adding .jpg at the end of the URL or things like that.

Not possible, i tried many way to call different extension files and manipulate request .
the main functionality only accept .jpg files. .
And i would like to tell you that report marked as a duplicate ,and it also fixed now .
but still i would like to hear other possible ways to exploit this if you have any.
Thank you for support.

Sorry for not replying earlier! I have the inbox configured to only show a few messages, but I guess I’m subscribed to too many newsletters :laughing:

I don’t know about anything else to try. I mentioned the other one in the previous message because I found something similar and ended up doing that and it worked.
Yesterday I found one exactly the one you mentioned, because this one verifies the file format directly.
Maybe, next time, you can also try to see if they are using a vulnerable library or software to verify the file format.

1 Like