Using SSRF/XSPA to extract data from internal machines
SSRF and XSPA vulnerabilities can also be used for other actions, such as extracting information from the servers into the network where the backend is located, or from the server where the application is hosted. Let's analyze the following request:
Here, the filehookURL parameter is vulnerable, so send it to the Repeater tool, using the secondary button of the mouse, and modify the parameter to extract a file, in /etc/passwd, as follows:
action=handleWidgetFiles&type=delete&file=1&filehookURL=file:///etc/passwd
Send it to the application. If it works, the application will show you the file in the response, as demonstrated in the following screenshot:
As in other kinds of vulnerabilities, sometimes, it is very useful to look for files in the web server's root directory, where it is possible to extract source code files or properties, files with sensitive information.
