Server-Side Request Forgery (SSRF) in Psi Probe Affected Environment Project: Psi Probe Repository: https://github.com/psi-probe/psi-probe Affected Version: (via WhoisController.java:125) Attack Vector: Network Vulnerable Code Impact Analysis Confidentiality: Attackers can probe internal databases, file servers, and administrative interfaces that may expose sensitive information. Integrity: Attackers can interact with internal services using the application server's trusted identity, potentially modifying data or performing unauthorized actions. Availability: Excessive scanning attempts could impact application server performance or availability of internal services. Severity: HIGH Specific Impacts Internal Network Scanning: Enumerate internal services and identify open ports. Access Internal Services: Connect to internal databases, administrative panels, and other services. Data Exfiltration: Use whois protocol as a tunnel to extract data from internal systems. Bypass Access Controls: Connections originate from trusted application server IP address. Port Scanning: Test different ports and protocols via ReferralServer field. Proof of Concept (PoC) Reproduction Steps 1. Setup: Register a domain and configure its whois record to include: 2. Attack Execution: Send an authenticated request to query the malicious domain: 3. Expected Result: The application connects to the internal IP address (192.168.1.100:4343), allowing the attacker to: - Detect if the internal service is running (connection success/failure). - Map internal network topology by varying ReferralServer values. - Interact with internal services via the whois protocol. Exploit Scenario An attacker can systematically scan the internal network by configuring multiple domains with different ReferralServer values: - Test SSH availability. - Test MySQL availability. - Test web server availability. Classification & Remediation CWE-ID: CWE-918 (Server-Side Request Forgery) Remediation Option 1: Whitelist Trusted Whois Servers (Recommended) Option 2: Disable Referral Following Remove or comment out lines 126-130 in Whois.java. Referral following is not essential for core whois functionality. Option 3: Network Segmentation Restrict outbound network connections from the application server to only necessary services. References CWE-918: Server-Side Request Forgery (SSRF) OWASP: Server-Side Request Forgery Prevention Cheat Sheet CAPEC-664: SSRF for External Access