SSRF Tips: SSRF/XSPA in Microsoft’s Bing Webmaster Central

Today I’m going to talk about a trick that might be useful for BugHunters.

While I was looking for a few things about BugBounty, I found a report where the author talked about an SSRF
which he had found in Bing’s Webmaster Central, and reported to Microsoft.
In the Bug it describes that it was able to list internal ports and the services of that application.

More info on: https://blog.0daylabs[.]com/2015/08/09/SSRF-in-Microsoft-bing/

Seeing this I thought “What if I try a new bypass on this fix?”, I like challenges, so I opened my browser and started testing.

First I tried a list of payloads that resolved to ‘127.0.0.1’, but their filter did not allow those addresses.

As they were blocking access via the address ‘127.0.0.1’, and also registering ip addresses,
I used the “.nip.io” domain to be able to bypass that first check along with the ip ‘127.127.127.127’.

127.127.127.127.nip.io

It was enough to deduce that I had been able to access their local address.

Note that with “127.127.127.127” it does a redirect to “/toolbox/webmaster/”

After that I tried to access a nonexistent directory, to check the server responses.

Conclusion:

Setting up a domain to resolve the address ‘127.127.127.127’ I was able to bypass the old fix, list internal ports and directories in the local address of Bing Webmaster,
sometimes many administrative panels are configured to be accessed only locally, which could be found by scanning directories through this SSRF.

Follow me :D http://twitter.com/elber333