Server Side Request Forgery via location header in jgraph/drawio
May 15th 2022
It is possible to bypass current SSRF checks using a redirection via the location header.
Proof of Concept
1.) Mock a redirect endpoint using https://beeceptor.com/
Location: http://localhost:1122as a response header and set the status code to 301
3.) Listen on port 1122
4.) Access the following resource:
http is important here)
5.) The request will be made to localhost:1122
From my understanding the code implements its own redirection handling by reading the location header and doing a new request. But this happens after
setInstanceFollowRedirects is set to true. By setting it to true the connection will follow redirects automatically before any checks.
This vulnerability is capable of doing requests controlled by an attacker and leaking sensitive information to an attacker.