This article describes a detailed journey of identifying and exploiting an SSRF vulnerability in a cloud environment, ultimately leading to the extraction of Azure Managed Identity tokens. It emphasizes the importance of persistence, asking the right questions, and paying attention to seemingly insignificant details in bug hunting. #Azure #SSRF #ManagedIdentity
Keypoints
- The researcher discovered a potential SSRF vector through a server-side scripting environment with external URL fetch capabilities.
- Initial testing involved simple requests to verify external host reachability, confirming a blind SSRF vulnerability.
- The environment supported custom headers, enabling access to cloud metadata endpoints, specifically Azure.
- The attacker successfully retrieved an OAuth2 token from Azureโs internal metadata endpoint, demonstrating privilege escalation potential.
- The report highlighted ongoing security risks, leading to acknowledgment and eventual triage of the issue, with recognition of the researcherโs effort.
Read More: https://infosecwriteups.com/one-ssrf-to-rule-them-all-f6563afce506?source=rssโ-7b722bfd1b8dโ4