Omise makes use of Amazon AWS as their application environment. Due to a vulnerability in the way webhooks are implemented, an attacker can make arbitrary HTTP/HTTPS requests from the application server and read their responses. This is known as a server-side request forgery (SSRF) vulnerability.
This vulnerability leads to access to Omise's Amazon EC2 instance with the user role
aws-opsworks-ec2-role, including AWS private keys.
The vulnerability exists in the way webhooks follow redirects. In general, it appears that redirects are not followed, but a HTTP 303 See Other status code allows an attacker to bypass this restriction.
By pointing my webhook URL to a server that issues a 303 redirect, I am able to redirect and read the responses of arbitrary HTTP/HTTPS requests from the application server. E.g. the following PHP script results in a successful request that is followed by the server:
<?php header('Location: http://<arbitrary-location>', TRUE, 303); ?>
As a result, it is possible to request a number of things, including AWS credentials on the metadata server located at
Steps to reproduce
- Host the following payload on
<?php header('Location: http://169.254.169.254/latest/meta-data/iam/security-credentials/aws-opsworks-ec2-role', TRUE, 303); ?>
- Point your webhook endpoint on https://dashboard.omise.co/test/webhooks/edit to
- Make a random call to the API, e.g. adding a user;
- View the "Recent Deliveries" of the webhook calls on https://dashboard.omise.co/test/webhooks
- Note the
200 OKstatus code indicating a successful redirect
- Click the event to view the response body of the AWS metadata
I recommend to ensure all input provided to the endpoint is validated. In this case, ensure that 303 redirects are not followed either.
I also recommend resetting all AWS access tokens. In addition, I recommend reviewing the Amazon access logs to investigate if this vulnerbility has been exploited in the past.
- 20190312_AWS-SSRF-303-redirect-2.png - Screenshot showing the output of the AWS credentials obtained through the SSRF vulnerability.
- 20190312_AWS-SSRF-303-redirect.png - Screenshot showing the output of the AWS index of metadata.
By exploiting this vulnerability, an unauthorized attacker could gain access to the AWS environment of Omise. Note that the SSRF vulnerability could be abused in a variety of ways, not just limited to obtaining AWS credentials. For example, to enumerate and access services and web applications running on the internal network.
For the community, by the community