Russian language search engine has secured its backend infrastructure

Russian search and internet services giant Yandex has resolved a potentially serious server-side request forgery (SSRF) vulnerability discovered by Egyptian security researcher Momen Ali.

Ali (AKA ‘theCyberGuy’) discovered the vulnerability after a systematic search of Yandex’s infrastructure.

They reported the vulnerability through Yandex’s bug bounty, earning a spot in the organization’s Hall of Fame for November 2021 after the problem was verified and fixed by its development team.


DEEP DIVES How expired domains help criminal hackers unlock enterprise defenses


The resolution of the vulnerability cleared the way for Ali to publish a technical blog post explaining his approach to bug bounty hunting, his search to identify potential targets within Yandex’s infrastructure using a variety of Google dorks, and the SSRF vulnerability he eventually uncovered.

The root cause of the vulnerability was a misconfigured server forwarding requests to the hostname specified in the Proxy-Host HTTP header.

“SSRF happened because of injecting HTTP headers such as X-Forwarded-Host, so in my case the SSRF was in HTTP header,” as Ali explained in his write-up.

Ali used a combination of Burp Intruder, Burp Collaborator, and the Nuclei template scanner to uncover and validate the vulnerability.

Server-side fun

SSRF attacks in general allow an attacker to trick a server-side application to make HTTP requests to a domain selected by an attacker, normally for malicious purposes.

This might be done either to siphon off authorization credentials, in some attack scenarios, or to get a server to make a connection to internal-only services within the organization’s infrastructure.


Read more of the latest bug bounty news


Ali demonstrated that the Yandex SSRF vulnerability posed the latter class of risk without going further and exploring the scope of the problem.

The Daily Swig asked Ali a number of follow-up questions about their research. No word as yet, but we’ll update this story as and when more information comes to hand.


RECOMMENDED Severe Chrome bug allowed RCE on devices running remote headless interface