SSRF Tips: SSRF/XSPA in Microsoft’s Bing Webmaster Central

Today I’m going to talk about a trick that might be useful for BugHunters.

While I was looking for a few things about BugBounty, I found a report where the author talked about an SSRF
which he had found in Bing’s Webmaster Central, and reported to Microsoft.
In the Bug it describes that it was able to list internal ports and the services of that application.

More info on: https://blog.0daylabs[.]com/2015/08/09/SSRF-in-Microsoft-bing/

Seeing this I thought “What if I try a new bypass on this fix?”, I like challenges, so I opened my browser and started testing.

Image for post
Image for post

First I tried a list of payloads that resolved to ‘127.0.0.1’, but their filter did not allow those addresses.

Image for post
Image for post

As they were blocking access via the address ‘127.0.0.1’, and also registering ip addresses,
I used the “.nip.io” domain to be able to bypass that first check along with the ip ‘127.127.127.127’.

127.127.127.127.nip.io

Image for post
Image for post
Image for post
Image for post

It was enough to deduce that I had been able to access their local address.

Note that with “127.127.127.127” it does a redirect to “/toolbox/webmaster/”

After that I tried to access a nonexistent directory, to check the server responses.

Image for post
Image for post

Conclusion:

Setting up a domain to resolve the address ‘127.127.127.127’ I was able to bypass the old fix, list internal ports and directories in the local address of Bing Webmaster,
sometimes many administrative panels are configured to be accessed only locally, which could be found by scanning directories through this SSRF.

Follow me :D http://twitter.com/elber333

Written by

Pentester , CTF player, Bug Hunter & Security Researcher \nTwitter: https://twitter.com/elber333

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store