Burp Suite User Forum

Is external service interaction vulnerability exploitable.

Divyesh | Last updated: Oct 04, 2017 01:51PM UTC

Hello, In most of the scan, burp reports, External Service Interaction vulnerability either in HTTP/S or DNS. I am not sure how this can be exploited on server side. I see some similarities to SSRF, but could not find any way to exploit. can someone please share some additional information on this?

PortSwigger Agent | Last updated: Oct 04, 2017 02:04PM UTC

Hi Divyesh, Thanks for your inquiry. This finding identifies behavior that is interesting for further analysis, but may or may not be a vulnerability. Many web sites such as social networks, allow users to include URLs, and the server will fetch these URLs to produce a thumbnail. This would report as External Service Interaction. Provided it is implemented securely, this is not a vulnerability - but there are all sorts of implementation errors that can be made. The finding is especially interesting when it's detected in some unexpected place. You may be interested in this research by one of my colleagues: - http://blog.portswigger.net/2017/07/cracking-lens-targeting-https-hidden.html Please let us know if you need any further assistance.

Alex | Last updated: Mar 23, 2020 08:30PM UTC

Hey got the same, but how can we exploit it? How is it explotable in this places? How can we make a valid POC for the impac if I know for SURE It's vulnerable? Thanks!

Liam, PortSwigger Agent | Last updated: Mar 24, 2020 02:54PM UTC

Alex, would it be possible to send us the issue detail? (support@portswigger.net)

You need to Log in to post a reply. Or register here, for free.