SSRF bug valid?

so recently i submitted a bounty to a company and the exploit revolves around link expansion where if you specify any url it calls that url for a preview and displays the preview

usually 127.0.0.1 and localhost is blocked but the ipv6 version isnt, so i could perform ssrf

i sent the bounty and this is the response they gave

It seems you are supplying these urls to crawlers which are responsible for fetching external URLs to generate previews. For obvious reasons these crawlers don't have access to any internal system. The results you show don't prove an SSRF issue as your requests never travel within the corpnet.

any this is my response that i am planning on sending

Normally, the crawlers are blocked from sending requests to localhost and 127.0.0.1, but this ipv6 bypasses that filter (you can test this by putting localhost or 127.0.0.1 in the link expansion) When the crawlers are fetching the external url, and an internal url is specified, wouldn't this mean that the request is being sent to that internal destination. Moreover, when ports are specified on that internal ip, the crawler is basically sending a request to that port of that internal destination; if the port is open, then the request is successful. Otherwise, it shows up as invalid.

so is the issue valid or is it my lack of understanding

Touch here for the full post on Network Security Noblemen tumblr

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s