Ashiyane DST Discover Google Docs XSPA/SSRF

Iranian hackers of Ashiyane Digital Security Team is make discover of XSPA/SSRF -Cross Site Port Attack/Server Side Request Forgery- vulnerability in Google Docs

The vulnerability is find by Ehsan Hosseini , V For Vendetta , Und3rgr0und

Author: Ashiyane Digital Security Team
Vendor Homepage: http://docs.google.com/
Vulnerability Type : Cross Site Port Attack -XSPA- [CWE-918]
Intercept proxy used : BurpSuite
Contact: [email protected]

Details link is here

XSPA -Cross Site Port Attacks

“An application is vulnerable to Cross Site Port Attacks if the application processes user supplied URLs and does not verify/sanitize the backend response received from remote servers before sending it back to the client. An attacker can send crafted queries to a vulnerable web application to proxy attacks to external Internet facing servers, intranet devices and the web server itself using the advertised functionality of the vulnerable web application.

The responses, in certain cases, can be studied to identify service availability -port status, banners etc- and even fetch data from remote services in unconventional ways. XSPA allows attackers to abuse available functionality in most web applications to port scan intranet and external Internet facing servers, fingerprint internal (non-Internet exposed) network aware services, perform banner grabbing, identify web application frameworks, exploit vulnerable programs, run code on reachable machines, exploit web application vulnerabilities listening on internal networks, read local files using the file protocol and much more.”

SSRF -Server Side Request Forgery-

“SSRF is non HTTP dependent SSRF works with services that are not HTTP at source -like MSSQL/Oracle etc-
SSRF uses XXE to attack internal applications and programs unlike XSPA which is self-contained”

All bugs find by Ashiyane Digital Security Team is here
Ashiyane Digital Security Team home is: http://ashiyane.org

Leave a Reply

Your email address will not be published. Required fields are marked *