2

I recently came across an application that was vulnerable to HTML injection on the invite function. When I insert <img src="image.jpg"> the image got rendered on the mail I received.

I decided to test for blind ssrf out of band detection, so I gave the payload as <img src=" burp collaborator payload"> and sent the invite. When I analyzed the Burp collaborator I received a DNS Query which was like this below. enter image description here

I couldn't get any HTTP request from the server.

Is this vulnerable or not? If not, is there any possible way to escalate or any bypassing methods to get the HTTP request?

schroeder
  • 123,438
  • 55
  • 284
  • 319
None_None
  • 45
  • 5
  • Was the invite sent to you? Was it you opening it that triggered the DNS request (e.g. your IP address, or possibly email provider's up address)? – multithr3at3d Jul 19 '20 at 16:43
  • Yes, the invite is sent to my email. And as soon as I sent the invite request, I receive this DNS query which has the IP address of the organization. Without opening the email, only this DNS is triggered and nothing else. When I open the mail, it triggers further HTTP requests, which is from Google Image proxy trying to load the image from the burp collaborator payload I've passed. – None_None Jul 19 '20 at 16:47
  • How are you trying to get an HTTP payload from the service? Remember the important part here: whatever response the HTTP service gives is going to be returned in an tag. Therefore a text response most likely won't work, and in fact the server may just be ignoring any non-image responses. Therefore it's quite possible that the request is being made, but the response is not being returned to you. I'm just guessing though. – Conor Mancone Jul 19 '20 at 18:35

0 Answers0