DownNotifier has an open bug bounty progam hosted on
DownNotifie is a service which periodically scans your websites and notifies you if your website has gone down.
Due to the nature of the website and the service it provides, I thought about some application logic bugs which might work,
So in mind came
ii. SSRF Explanation
SSRF, sometimes prounced Surf, stands for Server Side Request Forgery.
Essentially, with SSRF you are able to send requests originating from the web-server, in which you can leverage to read local files, or even enumerate services on the local system.
Within SSRF, exists a subattack you can perform which is known as XSPA (Cross Site Port Attack)
XSPA, you can use server output (which was easier for us in this case), or server response times to fingerprint if local services are running on the server such as
ftp, mysql, redis
iii. Exploiting XSPA to Enumerate Local Services
When browsing to
downnotifier we are greeted with:
Trying usual loopback addresses like
127.0.0.1 does not seem to work too well:
Also trying to grab files using
file:// turned out as expected:
I tried some more payloads I found from
PayloadAllThings SSRF payload page and found that
0.0.0.0 seemed to be accepted.
Though, even if it bypassed the filter, will it still work?
To see if it would, I added some common ports.
30 seconds later, we can see that we indeed did get an SSRF and were able to enumerate local services.
http are running.
I reported the bug to
DownNotifier and within 24 hour hours there was a response & a patch.
I would like to thank
DownNotifier for the acknowledgement and the quick patch.
Thank you for reading,
Sources: https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server Side Request Forgery