TiTiler Blind SSRF Scanner

TiTiler is an application used primarily by geospatial professionals and organizations that require dynamic tile serving capabilities for Cloud Optimized GeoTIFFs (COGs). It allows efficient delivery of map tiles from geospatial data over the web. The application is typically deployed in cloud environments to facilitate scalable and fast geospatial data access. It is widely used by GIS analysts, environmental scientists, and cartographers to visualize and distribute geospatial data. TiTiler supports integrating geospatial data into web applications and mapping services. The flexibility and dynamic capabilities of TiTiler enable it to be incorporated into a variety of geospatial workflows.

The vulnerability detected in TiTiler is a Blind Server Side Request Forgery (SSRF). This kind of vulnerability allows an attacker to manipulate server-side requests, tricking the server into making HTTP requests to arbitrary internal or external systems. In the context of TiTiler, this flaw occurs due to improper handling of the `url` parameter in the `/cog/info` endpoint. An attacker can leverage this vulnerability to access internal services or interact with external services from the vulnerable server. The vulnerability can lead to unauthorized actions or data exposure by leveraging manipulated server requests.

The technical details of this vulnerability involve the manipulation of the `url` parameter within the `/cog/info` endpoint of TiTiler. The endpoint insufficiently validates user-supplied input, allowing attackers to craft malicious URLs. These URLs can induce the server to initiate requests to arbitrary destinations, either internally or externally. Indicators of the vulnerability may include unexpected outgoing HTTP requests directed to malicious actor-controlled external servers. The application's improper handling of these requests leads to blind SSRF, where attackers can exploit the vulnerable endpoint without directly seeing the response.

When exploited, this vulnerability may allow attackers to access sensitive internal resources or conduct reconnaissance on internal services, facilitating further attacks. It can lead to unauthorized data access, lateral movement within the network, and potentially the compromise of sensitive internal assets. The exploitation of SSRF vulnerabilities can serve as a stepping stone for advanced persistent threats or allow attackers to exfiltrate sensitive information through stealthy channels.

REFERENCES

• https://xbow.com/blog/xbow-titiler-lfi/