FFmpeg is a free and open-source project consisting of a vast software suite of libraries and programs for handling video, audio, and other multimedia files and streams. At its core is the FFmpeg program itself, designed for command-line-based processing of video and audio files, and widely used for format transcoding, basic editing (trimming and concatenation), video scaling, video post-production effects, and standards compliance. FFmpeg is known to process HLS playlists that may contain references to external files.
Story !
I received a private invitation on bugcrowd , lets call it REDACTED.COM .
Basically Redacted.com is a video transcoding platform , so its 99% sure that they’ll be using FFmpeg :P So its obvious the first test i’ll perform on the target will be SSRF only using FFmpeg HLS Processing.
Setup !
-
A small server , just to check logs , you can use AWS or DigitalOcean.
-
B-XSSRF to check the requests. Download it from Here . ( Don’t forget to read the instructions given in repo )
-
Malicious AVI file. Download it from Here.
-
Open the downloaded AVI file in notepad++ , search for http://127.0.0.1/request.php and replace it with yours.
Testing !
Now we are ready to test SSRF with FFmpeg.
-
Logged in to Redacted.com
-
Uploaded the video.
-
Checked for requests received .
- Bingo ! its vulnerable :P
What’s next ?
Reported to the vendor on bugcrowd -> Duplicate -> LOL
Anyway’s it may help you :)