Yahoo! SSRF/XSPA Vulnerability

First of describing how i was able to find this bug, i would prefer to introduce the SSRF/XSPA Vulnerability.

An application is vulnerable to Cross Site Port Attacks if the application processes user supplied URLs and does not verify/sanitize the backend response received from remote servers before sending it back to the client. An attacker can send crafted queries to a vulnerable web application to proxy attacks to external Internet facing servers, intranet devices and the web server itself using the advertised functionality of the vulnerable web application. The responses, in certain cases, can be studied to identify service availability (port status, banners etc.) and even fetch data from remote services in unconventional ways.XSPA allows attackers to target the server

infrastructure, mostly the intranet of the web server, the web server itself and any public Internet facing server as well. This Vulnerability can be used for:
1) Port Scanning remote Internet facing servers, intranet devices and the local web server itself. Banner grabbing is also possible in some cases.
2) Exploiting vulnerable programs running on the Intranet or on the local web server
3) Fingerprinting intranet web applications using standard application default files & behavior
4) Attacking internal/external web applications that are vulnerable to GET parameter based vulnerabilities (SQLi via URL, parameter manipulation etc.)
5) Reading local web server files using the file:/// protocol handler.

In this blogpost i’m describing how i used the Yahoo! Server to portscan a remote host to see if a port is in open,filtered or closed state.This is the Bug Report i sent to Yahoo! Security.

I’ve found a SSRF in http://add.yahoo.com
These are the steps to reproduce the issue:
1)Go to http://dir.yahoo.com/recreation/games/video_games/titles/action/
2)Now click on the “Suggest a Site” button and subsequently click on the “Standard Consideration”
3)Now click on the “Continue” button
Now in this page we have to fill in 4 forms.In the “Site Title” i’ve inserted ‘asdf’ as value
Now in the “Security Email ID” and “Contact Person” forms we have to insert values of our choice.
Now in the “URL” form we have to insert the target site to see if a certain port is in state filtered,open or closed
Let’s suppose that the port 20 of www.targeturl.com is closed,so in the “URL” form we have to insert “http://www.targeturl.com:20
Now that we have filled in all the form values we have to click on the “Submit” button.Now we will receive an error like this “The following resulted when trying to access your document:

connect: Connection refused” telling us that the port is closed.
Let’s suppose that the port 23 of www.targeturl.com is filtered,so in the “URL” form we have to insert “http://www.targeturl.com:23
if the port is filtered we will receive the following message “The following resulted when trying to access your document:

Request Timeout”
Let’s suppose that the port 21 of www.targeturl.com is open,so in the “URL” form we have to insert “http://www.targeturl.com:21
If the port is open we will receive the following message “Document contains no data”.Based on these three errors we can understand if a port of a remote host is open,filtered or closed.

Now the bug has been fixed.To write this blogpost I referred to this article which is in my opinion one of the best tutorial on SSRF/XSPA Vulnerability.

This is the Video PoC: