Security Researcher Receives Applause After Discovering Yandex SSRF Flaw

Russian-language search engine has secured its backend infrastructure

Russian Internet search and service giant Yandex has addressed a potentially serious server-side request forgery (SSRF) vulnerability discovered by Egyptian security researcher Momen Ali.

Ali (alias’leCyberGuy‘) discovered the vulnerability after a systematic search of Yandex’s infrastructure.

They reported the vulnerability via the Yandex bug bounty, earning a spot in the organization’s Hall of Fame for November 2021 after the issue has been verified and resolved by its development team.

DEEP DIVES How expired domains help criminal hackers unlock business defenses

Resolving the vulnerability allowed Ali to publish a technical blog post explaining his approach to bug hunting, his research to identify potential targets within Yandex’s infrastructure using various Google dorks, and the SSRF vulnerability he eventually discovered.

The root cause of the vulnerability was an improperly configured server that forwarded requests to the host name specified in the HTTP header.

“SSRF occurred due to the injection of HTTP headers such as X-Forwarded-Host, so in my case the SSRF was in the HTTP header, ”as Ali explained in his article.

Ali used a combination of Burp Intruder, Burp Collaborator, and the Nuclei model scanner to discover and validate the vulnerability.

Server-side fun

SSRF attacks generally allow an attacker to trick a server-side application into sending HTTP requests to a domain selected by an attacker, normally for malicious purposes.

This can be done either to siphon authorization credentials, in some attack scenarios, or for a server to establish a connection with internal services only within the organization’s infrastructure.

Learn more about the latest bug bounty news

Ali demonstrated that the Yandex SSRF vulnerability posed this latter class of risk without going any further and exploring the extent of the problem.

The daily sip asked Ali a number of follow-up questions about their research. No word yet, but we’ll update this story as more information becomes available.

ADVISED A severe Chrome bug allowed RCE on devices running a remote headless interface

Previous Lecturer, Engineering and IT education at the UNIVERSITÉ DE MELBOURNE
Next state webinar aims to strengthen business support for vaccine needs | Local news