Splash SSRF Scanner

Splash Render is a popular web rendering and scraping tool, widely used by developers and data scientists to automate the collection of web data. It is often integrated into larger systems focused on data crawling and extraction, and used within industries that rely heavily on big data analytics, like digital marketing or academic research. Developers utilize it to render web pages in a non-GUI environment, making it possible to process large volumes of data server-side. The software is implemented in environments where web automation can significantly enhance research output, making it an essential tool for scalable web scraping tasks. It can be deployed in personal research environments as well as robust corporate systems, providing flexible data solutions. The primary use case for Splash Render involves assisting with data scraping tasks from dynamic web pages that require JavaScript execution.

Server-Side Request Forgery (SSRF) is a critical vulnerability allowing attackers to induce server-side applications to make HTTP requests to arbitrary domains. In contexts like Splash Render, this vulnerability can compromise internal systems, as attackers exploit this flaw to obtain data from unauthorized areas. The SSRF vulnerability typically arises from allowing unsigned or unchecked input that influences the destination of server-side HTTP requests. This vulnerability is particularly dangerous because it allows for the bypassing of network access controls, giving attackers potential access to sensitive, non-public endpoints. Exploitation of SSRF can lead to unauthorized access or data leakage from internal services that were never intended to be reachable from the outside. As such, SSRF poses a severe threat to the confidentiality and integrity of sensitive information processed by vulnerable services like Splash Render.

The core issue with SSRF in Splash Render relates to the rendering endpoint, which accepts arbitrary URLs for processing. This endpoint does not correctly validate incoming requests, allowing attackers to control the target URL for server-side fetching. The critical parameter in this context is the 'url' parameter within the query string, which attackers can manipulate to perform unauthorized server-side fetches to internal or external resources. The vulnerability is confirmed by the presence of indicators like 'Interactsh Server' in the request's response body, confirming that a server-side call was made. Furthermore, the HTTP response with a 200 status code provides further evidence of a successful exploitation attempt, showing that unauthorized HTTP requests are processed without adequate validation. By infiltrating this vulnerable endpoint, attackers can cause unauthorized actions and data retrievals.

When exploited, SSRF vulnerabilities in Splash Render can have several harmful outcomes. Attackers may gain access to otherwise protected resources behind firewalls, such as internal databases or application instances containing sensitive information. They can leverage SSRF to initiate lateral movement across internal network segments, leading to expanded attack surfaces and potential breaches into other secured zones. This may culminate in attackers accessing internal networks to orchestrate further attacks like lateral movement, information leakage, or even remote code execution in certain configurations. Moreover, attackers can use SSRF to force server-side applications to interact with malicious resources that aid in further exploitation. This vulnerability could expose an organization to significant risks due to potential data breaches, financial damage, and reputational harm resulting from information disclosure incidents.

REFERENCES

• https://github.com/scrapinghub/splash
• https://b1ngz.github.io/splash-ssrf-to-get-server-root-privilege/