SSRF Vulnerability Found in AI Chatbot
A recent real-world case study demonstrated how a Server-Side Request Forgery (SSRF) vulnerability can be exploited through stored profile data in an AI chatbot. The finding underscores the need for penetration testers to understand both traditional web vulnerabilities and the specific logic of AI applications. The combination of classic exploits with AI systems represents a growing attack vector.
- Server-Side Request Forgery (SSRF) is a vulnerability where an attacker can force a server to make requests to unintended locations. In the context of AI, this could mean tricking the AI's backend into interacting with internal services or leaking sensitive data. - The Open Worldwide Application Security Project (OWASP) listed SSRF as one of the top 10 most critical web application security risks in 2021. Its impact can range from data exposure to full remote code execution. - A notable real-world example involved a researcher discovering an SSRF vulnerability in OpenAI's ChatGPT. The researcher, Jacob Krut, found the flaw in the "Custom GPTs" feature, which failed to properly validate user-provided URLs. - The ChatGPT exploit involved using a 302 redirect from a public HTTPS site to an internal cloud metadata endpoint. The researcher then used the custom API key feature to add a required "Metadata: true" header, which allowed access to Azure cloud metadata and OAuth tokens. - Another SSRF vulnerability, identified as CVE-2023-49785, was found in the ChatGPT-Next-Web user interface. This flaw could be used to access internal HTTP endpoints, steal cloud instance IAM credentials, or use the vulnerable server as a proxy for other attacks. - A separate vulnerability, CVE-2024-27564, was found being exploited in ChatGPT's infrastructure. This SSRF attack targeted a specific file (`pictureproxy.php`) and did not require authentication, with one attacker making over 10,000 attempts from a single IP address. - Common mitigation techniques for SSRF include creating allowlists for approved domains and IP addresses, disabling unused URL schemas like `file://` and `gopher://`, and using Web Application Firewalls (WAFs) to filter malicious requests. - For penetration testers, identifying SSRF vulnerabilities in AI systems requires looking beyond traditional input fields. Testers should examine features that process external data, such as URL previews, file uploads from URLs, and API integrations within the AI or chatbot's functionality.
