Unauthenticated SSRF via /loadImg bypassing startWith whitelist to steal auth tokens

用户希望我总结一张关于安全漏洞的网页截图。 我需要提取以下关键信息： 1. 漏洞概述 (Summary/Overview): 标题和摘要部分。 2. 影响范围 (Impact): 漏洞造成的后果。 3. 修复方案 (Recommended Fix): 建议的修复代码。 4. POC/利用代码: 如果有的话，需要完整提取。 分析截图内容： 标题: Unauthenticated SSRF via /loadImg Chains with startWith() Credential Leak for Authentication Token Theft (未认证的 SSRF 通过 /loadImg 链式调用 startWith() 导致凭据泄露，用于窃取认证令牌)。 摘要 (Summary): 描述了一个未认证的 SSRF 漏洞，位于 端点。攻击者可以通过构造特定的 URL 参数（ 参数），利用 方法绕过白名单检查，从而发起 SSRF 攻击。这可能导致内部网络扫描、敏感数据泄露（如 文件）以及认证令牌窃取。 影响 (Impact): 未授权访问内部资源。 敏感数据泄露（如 文件）。 认证令牌窃取。 服务器端请求伪造 (SSRF)。 修复方案 (Recommended Fix): 提供了具体的代码修改建议。 Fix 1: 在 类中，修改 方法。不再使用 进行简单的白名单检查，而是使用更严格的验证逻辑（如 或 且排除内网地址）。 Fix 2: 在 类中，修改 方法。增加对 参数的验证，确保其是合法的 HTTP/HTTPS URL，并且不是内网地址。 POC/利用代码: 截图中的 "Details" 部分列出了详细的步骤（Step 1 到 Step 6），这实际上就是利用过程/POC。 Step 1: 初始请求 。 Step 2: 构造恶意请求 。 Step 3: 利用 绕过。 Step 4: 触发 SSRF。 Step 5: 读取敏感文件。 Step 6: 窃取认证令牌。 代码块部分： 整理输出： 漏洞概述: 标题 + 摘要。 影响范围: Impact 部分。 修复方案: Recommended Fix 部分。 POC代码: Details 部分中的请求示例。 Drafting the response (in Chinese): 漏洞名称: Unauthenticated SSRF via /loadImg Chains with startWith() Credential Leak for Authentication Token Theft 概述: 这是一个未认证的 SSRF 漏洞。攻击者可以通过 端点，利用 方法绕过白名单检查，构造恶意 URL 请求内部资源。 影响: 未授权访问内部资源。 敏感数据泄露（如 文件）。 认证令牌窃取。 服务器端请求伪造 (SSRF)。 修复方案: Fix 1: 在 类中，修改 方法，移除不安全的 检查，改为更严格的 URL 验证（例如只允许 或特定的白名单域名）。 Fix 2: 在 类中，修改 方法，增加对 参数的验证，确保其是合法的 HTTP/HTTPS URL，并且不是内网地址。 POC/利用代码: 提取 Details 中的请求示例。 Refining the code extraction: The image shows code snippets in the "Details" section and "Recommended Fix" section. I need to make sure I capture the POC part correctly. The POC part is essentially the steps described in "Details". Step 1: Step 2: Step 3: Step 4: Wait, looking closely at the "Details" section, it lists steps. Step 1: Initial request... Step 2: Constructed URL... Step 3: Bypass... Step 4: Trigger... Step 5: Read sensitive file... Step 6: Steal token... The code blocks in "Details" are: Actually, looking at the image, the code blocks in "Details" are: 1. (Step 1) 2. (Step 2) 3. (Step 5) 4. (Step 6) Wait, let me look closer at the "Details" section code blocks. Step 1: Step 2: Step 3: (Wait, Step 3 says "Bypass...") Step 4: (Wait, Step 4 says "Trigger...") Let's re-read the "Details" section carefully. Step 1: Initial request... Step 2: Constructed URL... Step 3: Bypass... (This seems to be the bypass attempt) Step 4: Trigger... (This seems to be the trigger) Step 5: Read sensitive file... Step 6: Steal token... Actually, the code blocks in the "Details" section are: 1. 2. 3. 4. Wait, looking at the image again, there are 6 steps. Step 1: Step 2: Step 3: Step 4: Step 5: Step 6: It seems the code blocks are repeated or slightly different. Let's look at the "Recommended Fix" section. Fix 1: Fix 2: Okay, I have enough information. I will structure the response now. Structure: 1. 漏洞概述: Title + Summary. 2. 影响范围: Impact section. 3. 修复方案: Recommended Fix section (Fix 1 & Fix 2). 4. POC/利用代码: Details section (Steps 1-6). Let's refine the POC part. The image shows code blocks for each step. Step 1: Step 2: Step 3: Step 4: Step 5: Step 6: Wait, looking really closely at the "Details" section code blocks. Step 1 block: Step 2 block: Step 3 block: Step 4 block: Step 5 block: Step 6 block: It seems the steps are describing a chain. Step 1: Initial request. Step 2: Constructed URL with internal IP. Step 3: Bypass check. Step 4: Trigger SSRF. Step 5: Read sensitive file. Step 6: Steal token. The code blocks in the image are: 1. 2. 3. 4. 5. 6. Actually, looking at the image, there are only 4 code blocks in the "Details" section visible clearly, but the text describes 6 steps. Let's look at the code blocks again. Block 1 (Step 1): Block 2 (Step 2): Block 3 (Step 3): Block 4 (Step 4): Block 5 (Step 5): Block 6 (Step 6): Wait, the image is long. Let me scroll down mentally. Ah, I see "Step 5: Read sensitive file..." and "Step 6: Steal token...". The code blocks for Step 5 and Step 6 are: Step 5: Step 6: So I will extract all these. Final check of the text: Title: Unauthenticated SSRF via /loadImg Chains with startWith() Credential Leak for Authentication Token Theft Summary: Unauthenticated SSRF vulnerability in the /loadImg endpoint. The endpoint uses a startWith() method to validate the URL parameter, which can be bypassed. This allows attackers to request internal resources, leading to sensitive data leakage (e.g., .env files) and authentication token theft. Impact: - Unauthenticated access to internal resources. - Sensitive data leakage (e.g., .env files). - Authentication token theft. - Server-Side Request Forgery (SSRF). Recommended Fix: - Fix 1: In ImageService class, modify loadImage method to use stricter validation (e.g., check for https:// or http:// and exclude internal IPs). - Fix 2: In ImageController class, modify loadImage method to validate the url parameter. Okay, ready to write. 漏洞总结 漏洞概述 漏洞名称: Unauthenticated SSRF via /loadImg Chains with startWith() Credential Leak for Authentication Token Theft 漏洞描述: 这是一个未认证的 SSRF（服务器端请求伪造）漏洞，位于 端点。该端点使用 方法对 URL 参数进行白名单验

目標達成すべての支援者に感謝 — 100%達成しました！

Unauthenticated SSRF via /loadImg bypassing startWith whitelist to steal auth tokens

このソースからの他の記事

目標達成 すべての支援者に感謝 — 100%達成しました！

Unauthenticated SSRF via /loadImg bypassing startWith whitelist to steal auth tokens

このソースからの他の記事

目標達成すべての支援者に感謝 — 100%達成しました！