Top 25 Server-Side Request Forgery (SSRF) Bug Bounty Reports

What is Server-Side Request Forgery (SSRF) ?

SSRF is when you, as an attacker, successfully make the application triggering arbitrary requests.

Server-Side Request Forgery (SSRF) is basically correlated with other vulnerabilities a lot of times, for example:

XXE with SSRF:

<?xml version="1.0"?>
<!DOCTYPE foo [ 
<!ELEMENT foo (#ANY)>
<!ENTITY xxe SYSTEM "http://localhost">]><foo>&xxe;</foo>

Host Header Injection with SSRF:

GET / HTTP/1.1
Host: localhost

HTML Injection with SSRF:

<iframe src=http://localhost></iframe

ImageMagick SSRF in HLS Processing:

#EXTM3U
#EXT-X-MEDIA-SEQUENCE: 0
#EXTINF:10.0,
http://localhost
#EXT-X-ENDLIST

Why is that dangerous?

Let’s assume you are hosting an application on port 80/443 externally, and the administrative panel is being hosted on port 8008 internally. Through SSRF, you can send arbitrary requests to the administrative panel hosted internally.

Different Types of Server-Side Request Forgery

There are mainly 3 different types of Server-Side Request Forgery (SSRF) that you must be aware of:

  • Normal Server-Side Request Forgery (SSRF): You can see the response of the SSRF request in your browser/interceptor.

Top 25 Server-Side Request Forgery (SSRF) Bug Bounty Reports

The reports were disclosed through the HackerOne platform and were selected according to their upvotes, bounty, severity level, complexity, and uniqueness.

#1

Title: SSRF in Exchange leads to ROOT access in all instances

Company: Shopify

Bounty: $25,000

Link: https://hackerone.com/reports/341876

#2

Title: Full Read SSRF on Gitlab’s Internal Grafana

Company: Gitlab

Bounty: $12,000

Link: https://hackerone.com/reports/878779

#3

Title: SSRF on project import via the remote_attachment_url on a Note

Company: GitLab

Bounty: $10,000

Link: https://hackerone.com/reports/826361

#4

Title: FogBugz import attachment full SSRF requiring vulnerability in *.fogbugz.com

Company: GitLab

Bounty: $6,000

Link: https://hackerone.com/reports/1092230

#5

Title: GitLab::UrlBlocker validation bypass leading to full Server Side Request Forgery

Company: GitLab

Bounty: $5,000

Link: https://hackerone.com/reports/541169

#6

Title: Server Side Request Forgery (SSRF) at app.hellosign.com leads to AWS private keys disclosure

Company: Dropbox

Bounty: $4,913

Link: https://hackerone.com/reports/923132

#7

Title: Server-Side Request Forgery using Javascript allows to exfill data from Google Metadata

Company: Snapchat

Bounty: $4,000

Link: https://hackerone.com/reports/530974

#8

Title: Unauthenticated blind SSRF in OAuth Jira authorization controller

Company: GitLab

Bounty: $4,000

Link: https://hackerone.com/reports/398799

#9

Title: Blind SSRF on errors.hackerone.net due to Sentry misconfiguration

Company: HackerOne

Bounty: $3,500

Link: https://hackerone.com/reports/374737

#10

Title: Server Side Request Forgery mitigation bypass

Company: GitLab

Bounty: $3,500

Link: https://hackerone.com/reports/632101

#11

Title: SSRF in CI after first run

Company: GitLab

Bounty: $3,000

Link: https://hackerone.com/reports/369451

#12

Title: External SSRF and Local File Read via video upload due to vulnerable FFmpeg HLS processing

Company: TikTok

Bounty: $2,727

Link: https://hackerone.com/reports/1062888

#13

Title: Unsafe charts embedding implementation leads to cross-account stored XSS and SSRF

Company: New Relic

Bounty: $2,500

Link: https://hackerone.com/reports/708589

#14

Title: SMB SSRF in emblem editor exposes taketwo domain credentials, may lead to RCE

Company: Rockstar Games

Bounty: $1,500

Link: https://hackerone.com/reports/288353

#15

Title: SSRF on https://qiwi.com using “Prerender HAR Capturer”

Company: QIWI

Bounty: $1,500

Link: https://hackerone.com/reports/1153862

#16

Title: Blind SSRF in emblem editor (2)

Company: Rockstar Games

Bounty: $1,500

Link: https://hackerone.com/reports/265050

#17

Title: SSRF — Unchecked Snippet IDs for distributed files

Company: Open-Xchange

Bounty: $1,500

Link: https://hackerone.com/reports/997926

#18

Title: Unauthenticated SSRF in jira.tochka.com leading to RCE in confluence.bank24.int

Company: QIWI

Bounty: $1,000

Link: https://hackerone.com/reports/713900

#19

Title: SSRF chained to hit internal host leading to another SSRF which allows to read internal images.

Company: PlayStation

Bounty: $1,000

Link: https://hackerone.com/reports/826097

#20

Title: SSRF on image renderer

Company: PlayStation

Bounty: $1,000

Link: https://hackerone.com/reports/811136

#21

Title: SSRF in webhooks leads to AWS private keys disclosure

Company: Omise

Bounty: $700

Link: https://hackerone.com/reports/508459

#22

Title: SSRF In Get Video Contents

Company: Semrush

Bounty: $500

Link: https://hackerone.com/reports/643622

#23

Title: SSRF in api.slack.com, using slash commands and bypassing the protections.

Company: Slack

Bounty: $500

Link: https://hackerone.com/reports/381129

#24

Title: SVG Server Side Request Forgery (SSRF)

Company: Shopify

Bounty: $500

Link: https://hackerone.com/reports/223203

#25

Title: Blind SSRF on https://labs.data.gov/dashboard/Campaign/json_status/ Endpoint

Company: GSA Bounty

Bounty: $300

Link: https://hackerone.com/reports/895696

Bonus: 10 Zero Dollars SSRF Reports

#1

Title: My Expense Report resulted in a Server-Side Request Forgery (SSRF) on Lyft

Company: Lyft

Bounty: $0

Link: https://hackerone.com/reports/885975

#2

Title: SSRF on duckduckgo.com/iu/

Company: DuckDuckGo

Bounty: $0

Link: https://hackerone.com/reports/398641

#3

Title: XXE Injection through SVG image upload leads to SSRF

Company: Zivver

Bounty: $0

Link: https://hackerone.com/reports/897244

#4

Title: Sending Emails from DNSDumpster — Server-Side Request Forgery to Internal SMTP Access

Company: Hacker Target

Bounty: $0

Link: https://hackerone.com/reports/392859

#5

Title: SSRF in alerts.newrelic.com exposes entire internal network

Company: New Relic

Bounty: $0

Link: https://hackerone.com/reports/198690

#6

Title: Server-Side Request Forgery (SSRF) in Ghost CMS

Company: Node.js third-party modules

Bounty: $0

Link: https://hackerone.com/reports/793704

#7

Title: Blind SSRF in “Integrations” by abusing a bug in Ruby’s native resolver.

Company: HackerOne

Bounty: $0

Link: https://hackerone.com/reports/287245

#8

Title: SSRF vulnerability on ██████████ leaks internal IP and various sensitive information

Company: U.S. Dept Of Defense

Bounty: $0

Link: https://hackerone.com/reports/310036

#9

Title: Bypass for blind SSRF #281950 and #287496

Company: Infogram

Bounty: $0

Link: https://hackerone.com/reports/642675

#10

Title: SSRF

Company: Cloudflare Vulnerability Disclosure

Bounty: $0

Link: https://hackerone.com/reports/253558

Thanks very much and hope that you found this article helpful!

Your email address will not be published. Required fields are marked *

Hackerinthehouse is a Marketplace and General forum and our only purpose is to help you out getting more in Technology and Cyber Security.