Office Web Apps Server Server Side Request Forgery Scanner

Office Web Apps Server is used globally by organizations to facilitate and enhance the use of Office applications over the web. It integrates with Microsoft Office, SharePoint, and other Office Web Services to provide seamless collaborative experiences. Often deployed within enterprise environments, it enables access to Office applications like Word, Excel, and PowerPoint via web browsers. The server is typically installed in educational institutions, corporate settings, and government entities. Its primary purpose is to offer browser-based viewing, editing, and sharing of Office documents without the need for client-side installations of Microsoft Office. The server caters to both internal organization users and external clients for document sharing and collaborative functionalities.

Server Side-Request-Forgery (SSRF) is a vulnerability that allows an attacker to coerce the application to make unauthorized requests. It is often exploited to gain access to internal systems that are otherwise inaccessible to an external attacker. Typically, this vulnerability is used to extract sensitive data from the server or interact with internal resources. It can provide unauthorized access to internal files and services, leading to a complete compromise of the server. Attackers can exploit SSRF to bypass firewalls and other similar protections provided by the network architecture. The vulnerability is a critical concern as it can facilitate a breach in security by leveraging the application's backend to conduct unauthorized actions.

The SSRF vulnerability in Office Web Apps Server is characterized by a fault in handling user inputs when interacting with external resources. Technically, the vulnerability exists when the server processes URLs without adequately validating them, subsequently fetching resources from remote locations. The exploit involves manipulating endpoints that take URLs as input, such as the endpoint used for accessing files. Parameters like the `wFileId` in requests can be manipulated to trigger external requests. Attackers leverage SSRF by crafting requests to malicious or unintended URLs, facilitating unauthorized interactions. The endpoint that is particularly susceptible is the `/oh/wopi/files/@/wFileId/contents` endpoint, which can be exploited when malformed URLs are processed.

When exploited, the SSRF vulnerability can reveal internal system resources and network configurations. This breach can enable attackers to access sensitive internal data or escalate further network-level attacks. It poses a high risk as it might expose other vulnerabilities or weaknesses within the internal infrastructure. Compromised systems could lead to data theft, further unauthorized access to sensitive resources, or manipulation of important files. The impact of SSRF can extend to system outages, service interruptions, and potential data breaches, depending on the internal services that become accessible. Mitigating such vulnerabilities is critical to maintaining the security posture of the affected systems.

REFERENCES

• https://drive.google.com/file/d/1aeNq_5wVwHRR1np1jIRQM1hocrgcZ6Qu/view (Slide 37,38)