Description
We’ve come across two new endpoints during a content discovery exercise against the Acme IT Support website. The first one is /private, which gives us an error message explaining that the contents cannot be viewed from our IP address. The second is a new version of the customer account page at /customers/new-account-page with a new feature allowing customers to choose an avatar for their account.
Approach
First, create a customer account and sign in. Once you’ve signed in, visit /customers/new-account-page to view the new avatar selection feature. By viewing the page source of the avatar form, you’ll see the avatar form field value contains the path to the image. The background-image style can confirm this in the above div element as per the screenshot below:
If you choose one of the avatars and then click the Update Avatar button, you’ll see the form change and, above it, display your currently selected avatar. Viewing the page source will show your current avatar is displayed using the data URI scheme, and the image content is base64 encoded as per the screenshot below.
Now let’s try making the request again but changing the avatar value to private in hopes that the server will access the resource and get past the IP address block. To do this, firstly, right-click on one of the radio buttons on the avatar form and select Inspect:
And then edit the value of the radio button to private:
And then click the Update Avatar button. Unfortunately, it looks like the web application has a deny list in place and has blocked access to the /private endpoint.
As you can see from the error message, the path cannot start with /private but don’t worry, we’ve still got a trick up our sleeve to bypass this rule. We can use a directory traversal trick to reach our desired endpoint. Try setting the avatar value to ./private
Viewing the page source of the avatar form, you’ll see the currently set avatar now contains the contents from the /private directory in base64 encoding, decode this content and it will reveal a flag that you can enter below.
Flag
Success
THM{YOU_WORKED_OUT_THE_SSRF}