Posts with the tag ssrf:

Unauth HTTP SSRF in Nuance Ai Training Platform

I submitted another HTTP SSRF in MS services via MSRC recently, this time within an insecure api.php endpoint I found on train.digital.nuance.com. This was a full HTTP SSRF, capable of interacting with internal services, and could be used for both GET and POST requests, including sending full GET/POST bodies with arbitrary parameter/value pairs to arbitrary resources. Bounty? None. A few weeks after submission, MS responded that they confirmed the bug, were investigating the issue, and asked for any more information I could provide.

Unauthenticated SSRF in Office.net

In late September I reported an unauthenticated SSRF I’d found on Office.net to MSRC, only to receive a response that said I had included no reproduction steps, and therefore the report was invalid and would be closed. Obviously, the report had reproduction steps. So I replied, directing them to the report (which included reproduction steps), and was met with the same response. The report was closed, and I was pretty miffed.