SSRF & LFI In Uploads Feature

Hello fellow hackers, today I will discuss how I found a Server-Side Request Forgery (SSRF) which lead to a Local File Inclusion (LFI) that exposed backend resources in a bug bounty program.

Introduction

Server-Side Request Forgery (SSRF) is a web application vulnerability often characterized by the ability for an attacker to induce the server-side application to make HTTP requests to specific domains provided by that user.

Although without the correct validation, it is possible for the attacker to make connections to backend resources that shouldn’t otherwise be available to them. This is often due to the request originating from the backend server rather than the attackers machine, therefore granting them unauthorized access.

Now that we know the basics, let’s jump into how I ended up finding a SSRF/LFI vulnerability in a bug bounty program’s upload feature.

Initial Finding

I tend to heavily test file upload functionality in bug bounty programs when I see them. This is because file upload vulnerabilities can lead to a bunch of different issues such as Server-Side Request Forgery (SSRF), Cross-Site Scripting (XSS), and sometimes even Remote Command Execution (RCE).

While testing this and uploading a word document, I noticed that the document gets converted into a PDF on the backend, which is later displayed to the user after conversion. This means that the data within the provided file…