Ethical Hacking Automation

Automate Recon and scanning process with Vidoc. All security teams in one place

Wordpress Oembed Proxy SSRF

By kannthu

Medium
Vidoc logoVidoc Module
#wordpress#ssrf#oast#proxy
Description

What is the "Wordpress Oembed Proxy SSRF?" module?

The "Wordpress Oembed Proxy SSRF" module is designed to detect a server-side request forgery (SSRF) vulnerability in Wordpress websites. SSRF is a type of vulnerability that allows an attacker to make requests from the vulnerable server to arbitrary destinations, potentially bypassing security measures and accessing internal resources.

This module targets Wordpress, a popular content management system (CMS) used for creating websites and blogs. The severity of this vulnerability is classified as medium.

Author: dhiyaneshDk

Impact

If successfully exploited, the SSRF vulnerability in Wordpress can lead to various security risks, including:

- Unauthorized access to internal resources - Data leakage - Potential compromise of sensitive information

How does the module work?

The "Wordpress Oembed Proxy SSRF" module works by sending a specific HTTP request to the target Wordpress website. The request is made to the "/wp-json/oembed/1.0/proxy" endpoint, with a URL parameter that includes the {%InteractionURL%} placeholder. This placeholder represents the interaction URL that the Vidoc platform will replace with a valid value during scanning.

The module includes a matching condition that checks if the "interactsh_protocol" part of the response contains the word "http". If this condition is met, the module will report a vulnerability.

Here is an example of the HTTP request sent by the module:

GET /wp-json/oembed/1.0/proxy?url=http://{%InteractionURL%}/ HTTP/1.1
Host: [target website]

The module will analyze the response and determine if the SSRF vulnerability exists based on the matching condition.

Metadata: max-request: 1

Reference - https://book.hacktricks.xyz/pentesting/pentesting-web/wordpress - https://github.com/incogbyte/quickpress/blob/master/core/req.go

Module preview

Concurrent Requests (1)
1. HTTP Request template
GET/wp-json/oembed/1.0/...
Matching conditions
word: http
Passive global matcher
No matching conditions.
On match action
Report vulnerability