Russian language search engine has secured its backend infrastructure
Ali (AKA ‘theCyberGuy’) discovered the vulnerability after a systematic search of Yandex’s infrastructure.
They reported the vulnerability through Yandex’s bug bounty, earning a spot in the organization’s Hall of Fame for November 2021 after the problem was verified and fixed by its development team.
The resolution of the vulnerability cleared the way for Ali to publish a technical blog post explaining his approach to bug bounty hunting, his search to identify potential targets within Yandex’s infrastructure using a variety of Google dorks, and the SSRF vulnerability he eventually uncovered.
The root cause of the vulnerability was a misconfigured server forwarding requests to the hostname specified in the Proxy-Host HTTP header.
“SSRF happened because of injecting HTTP headers such as X-Forwarded-Host, so in my case the SSRF was in HTTP header,” as Ali explained in his write-up.
Ali used a combination of Burp Intruder, Burp Collaborator, and the Nuclei template scanner to uncover and validate the vulnerability.
SSRF attacks in general allow an attacker to trick a server-side application to make HTTP requests to a domain selected by an attacker, normally for malicious purposes.
This might be done either to siphon off authorization credentials, in some attack scenarios, or to get a server to make a connection to internal-only services within the organization’s infrastructure.
Ali demonstrated that the Yandex SSRF vulnerability posed the latter class of risk without going further and exploring the scope of the problem.
The Daily Swig asked Ali a number of follow-up questions about their research. No word as yet, but we’ll update this story as and when more information comes to hand.