Listen to this Post
2025-02-14
🚀 One hour of research → $8,000 bounty.
📌 Unauthenticated SSRF → Internal file access & cloud metadata leak.
🕵️ Chained into full XSS, no authentication required.
🔍 How I Found It (In Just One Hour!)
While reviewing Microsoft PowerPoint’s client-side source code during research at SecCreative LTD, I found an interesting API call to the endpoint MediaDownloadHandlerProxy.ashx.
👉 No authentication required (accepts unauthenticated GET requests).
👉 Expects multiple GET parameters (which we reverse-engineered from research).
The key parameter we found:
🔹 `mediaSnapServiceDomain` – A user-controlled domain (without a path) that the backend blindly trusts and requests.
🚀 SSRF – Internal Network Access 🚀
1️⃣ Step 1: Backend Requests Metadata
Requests `/MediaDownloadGetMetadata.ashx`
Passes all GET parameters.
Expects a structured JSON response (which I reverse-engineered and replicated on our server).
2️⃣ Step 2: Backend Fetches “Media”
If the JSON response is valid, the backend requests:
`/MediaDownloadHandler.ashx`
The `mediaSnapServiceDomain` response is fully reflected to the attacker doing the SSRF. INCLUDING redirects! Oh… and it also forwards our headers from the SSRF request. Did someone say “Metadata: true”? 😏
🔥 SSRF – Internal Network Access 🔥
Since the backend blindly follows redirects and return response, we can use this to access internal services:
✅ Redirect to localhost → Fetch internal files (💡 “That web.config looks nice when it’s supposed to be localhost-only… 🥰 ” )
✅ Redirect to cloud metadata → Leak instance info – `hxxp://169,254,169,254/metadata/v1/instanceinfo`
🚨 Impact:
💡 Leak internal credentials, storage keys, or internal cloud infrastructure details.
💡 Potential RCE (if credentials allow further exploitation, and web.config might contain a MachineKey).
💡 Internal Network scanning.
💥 Game over? Almost. But we stopped the PoC before RCE to respect and comply with Microsoft Bug Bounty program rules.
🎯 Chaining SSRF into XSS
Since we control mediaSnapServiceDomain, we dictate how the backend behaves. By returning a valid JSON response for the first request, we pass validation and then deliver an XSS payload with content-type: text/html.
💥 Outcome:
- Reflected XSS on every browser. one vulnerable URL → Two backend requests → Instant XSS.
- No parameter tampering needed.
- Zero validation on returned content.
What Undercode Say
This article highlights the critical importance of securing APIs and backend systems against SSRF (Server-Side Request Forgery) and XSS (Cross-Site Scripting) vulnerabilities. The discovery of an unauthenticated SSRF in Microsoft MediaSnap, which could be chained into a full XSS attack, underscores the need for robust input validation and secure coding practices.
To mitigate such vulnerabilities, developers should:
- Validate and Sanitize Inputs: Always validate and sanitize user-controlled inputs to prevent SSRF and XSS attacks.
</li> </ol> <h1>Example of input validation in Linux using grep</h1> echo $user_input | grep -E '^[a-zA-Z0-9.-]+$'
2. Restrict Internal Access: Ensure that internal services are not accessible from external networks. Use firewalls and network segmentation.
<h1>Block internal IP ranges using iptables</h1> sudo iptables -A INPUT -s 169.254.0.0/16 -j DROP
3. Implement Content-Type Validation: Ensure that responses from external domains are of the expected content type.
<h1>Check content-type in HTTP response using curl</h1> curl -I http://example.com | grep -i content-type
4. Monitor and Log Requests: Regularly monitor and log requests to detect suspicious activities.
<h1>Monitor HTTP requests using tcpdump</h1> sudo tcpdump -i eth0 -n 'tcp port 80'
5. Use Secure Coding Practices: Follow secure coding guidelines and conduct regular security audits.
For further reading on SSRF and XSS mitigation, refer to:
– OWASP SSRF Prevention Cheat Sheet
– XSS Prevention Cheat SheetBy implementing these measures, organizations can significantly reduce the risk of SSRF and XSS vulnerabilities, ensuring a more secure digital environment.
This article is a human-written analysis of the discovered vulnerabilities and provides actionable insights for developers and security professionals.
References:
Hackers Feeds, Undercode AI
