Exploiting WordPress Plugin Vulnerabilities to Steal AWS Metadata
In an ideal world, vulnerabilities would not exist. A request would be sent to a server, properly validated, and only the intended information would be provided by the server. Of course, this is not a perfect world, and vulnerabilities can be introduced unintentionally, or even found due to previously unknown weaknesses within the programming language.
One type of vulnerability that can have severe consequences if exploited, yet is not frequently talked about, is Server Side Request Forgery (SSRF).
What is Server Side Request Forgery?
Server Side Request Forgery (SSRF) is a type of vulnerability that allows an attacker to abuse normal functionality on the server by getting the server to send a request that the attacker has control over. This can be accomplished relatively simply with a modified URL in a browser, or by using a tool like Burp Suite to capture the browser request and modify it before sending it on to the server.
SSRF vulnerabilities are not often difficult to exploit, but can provide a threat actor with information that can assist them in further attacks, or even allow them to make requests to internal resources that can lead to data alteration. In some cases, a threat actor may be able to run arbitrary commands on the server, allowing the actor to complete a full takeover of a vulnerable site.
A Real World Example: Server Side Request Forgery Vulnerability in the Google Web Stories Plugin
On October 25, 2022, a SSRF vulnerability in the Web Stories plugin by Google was disclosed in versions