Viral Video- Exploiting SSRF in Video Converters

by Nikolay Ermishkin, Maxim Andreev
Sept. 17, 2017 1 comment belen_caty Pen Testing & Audits

Many web applications allow users to upload video - video/image hostings, cloud storages, social networks, instant messengers, etc. Typically, developers want to convert user uploaded files into formats supported by all clients. The number of input formats is very big, so developers use third-party tools/libraries for video encoding. The most common solution in this area is ffmpeg and its forks. ffmpeg by default supports many different formats, including playlists (files with a set of links to other files). In this Briefing, we will examine exploitation of SSRF in hls (m3u8) playlists processing. Video processing is frequently done in clouds, which by design is more vulnerable to SSRF attacks, and playlists support many different protocols (http, file, tcp, upd, gopher ...), so SSRF in playlist processing can be very critical and even lead to full service takeover.

Steven Ulm 9 months, 1 week ago

Video converters are such a popular thing these days , especially because of all the eye-catching formats like 4K... this is valuable information! Thank you so much for sharing it!