Expert Discusses Critical SSRF Vulnerability in Cloud Platform

In this video, we have the honor of hosting JR0ch17, a cybersecurity expert based in Montreal, who shares a fascinating discovery about a Server-Side Request Forgery (SSRF) vulnerability with significant impact. The discussion begins with an introduction to the tested product, a massive cloud platform that combines features of Jira, Workday, and Monday.com, allowing customers to choose their hosting on AWS, GCP, or Azure. Each customer has their own tenant, accessible via a specific URL such as greg.product.com or jr0ch.product.com. JR0ch17 explains how he discovered the vulnerability by exploring an API endpoint used during the login process to verify the tenant configuration (SAML, OAuth, or basic login form). This endpoint, although public and non-sensitive, allowed data retrieval even if the queried tenant was not the same as the initial request. This observation piqued JR0ch17's curiosity, leading him to test further. By using non-existent domains and analyzing error messages, JR0ch17 discovered a pattern in the regular expressions used to validate URLs. He identified an unregistered domain matching this pattern, purchased it, and set up a web server to intercept requests. By redirecting requests to a Burp collaborator, he confirmed the ability to retrieve external content, marking the beginning of the SSRF exploitation. However, the initial attempt to access the AWS metadata IP (169.254.169.254) failed due to version 2 of IMDS, which requires a specific header. Unable to add this header, JR0ch17 had to find other ways to increase the vulnerability's impact. Thanks to his prior experience with the product, he already knew an internal domain and was able to identify internal assets accessible via the SSRF. By performing reconnaissance on this internal domain, JR0ch17 discovered a messaging service that listed emails sent by all tenants. By accessing this service via the SSRF, he could read the contents of the emails, including sender and recipient details. This discovery demonstrated a significant impact: the ability to reset the password of any user from any tenant by intercepting the reset email. This SSRF vulnerability, although limited in its access to internal infrastructure, had a direct impact on users, allowing arbitrary account takeover (ATO) without authentication. This led to a CVSS score of 10 and a substantial reward. The discussion highlights the importance of persistence and experience in bug hunting, as well as the need to test all possibilities to maximize the impact of discoveries. To learn more about this fascinating discovery and the technical details of the exploitation, watch the full video at the following address: https://www.youtube.com/watch?v=uoKMhb6juSo