CHALLENGE DESCRIPTION [CLOSED]

The Azure Server-Side Request Forgery (SSRF) Research Challenge invited security researchers to discover and share high-impact Server-Side Request Forgery (SSRF) vulnerabilities in Microsoft Azure. This challenge featured a bonus structure based on specific scenarios. Qualified submissions were eligible for bounty awards up to $60,000 USD

This Research Challenge ran from August 19, 2021, through November 19, 2021, with SSRF research resources and the opportunity to collaborate with members of the Microsoft Cloud security team.

This bounty program is subject to these terms and conditions outlined in Azure Bounty Program and the Microsoft Bounty Terms and Conditions.   

QUALIFYING SSRF VULNERABILITIES [CLOSED]

For the purposes of this research challenge, SSRF includes vulnerabilities that would be classified as Mitre CWE-918 or vulnerabilities that fit the definition for SSRF provided by OWASP.  

SCENARIO AWARDS [CLOSED]

All reporting is first considered under the Azure Bounty Program. If your submission meets the following scenarios or requirements, then it will be considered for an additional bonus under this Azure SSRF Challenge. 

If your report qualifies for multiple scenarios, eligible submissions will be awarded the single highest bonus. 

 

SCENARIOS

BONUS AMOUNT (UP TO)

Protocols other than HTTP (e.g., FTP bounce attack)

50%  

Stored SSRF (as analogous to stored XSS) 

50%  

“Deep” SSRF  

  • Example: SSRF attacks that are only evident far into the state machine of the victim 
  • Example: SSRF manifesting beyond the direct exploitation of a UI/client-side feature exposed by the service to the users. 

50%  

Multi-hop SSRF (i.e., more than one confused deputy)   

40%  

SSRF in combination with CSRF  

30% 

General SSRF Award 

10% 

In addition to the scenarios above, Microsoft will also be awarding discretionary bonuses for creative SSRF attack vectors that are discovered independently of automation or tooling. These submissions will need to display an innovative strategy or process for exploitation. 

ELIGIBLE SUBMISSIONS [CLOSED]

The goal of the bounty program is to uncover significant technical vulnerabilities that have a direct and demonstrable impact on the security of our customers using the latest version of the application. 

Vulnerability submissions must meet the following criteria to be eligible for bounty awards: 

  • Identify a vulnerability that was not previously reported to, or otherwise known by, Microsoft. 
  • Such vulnerability must be of previously unreported Critical or Important severity and must reproduce in one of the in-scope products or services. 
  • Include clear, concise, and reproducible steps, either in writing or in video format, providing our engineering team with the information necessary to quickly reproduce, understand, and fix the issues 
    • Find examples here.  

We request researchers include the following information to help us quickly assess their submission 

  • Submit through the MSRC Researcher Portal
  • Include “[AzSSRF]” in the “Title / Short Description” section of the vulnerability submission. Reports submitted without “[AzSSRF]” may not be eligible for the bounty awards under this challenge. 
    • Example: [AzSSRF] - <Product/Service Name> - <Specifics of the vulnerability and impact in one line> as title 
  • Indicate in the vulnerability submission which scenario (if any) your report qualifies for 
  • Please indicate specific APIs within your submission for validation.  
  • Please let us know the query you sent (headers, etc.) and provide that information to the case manager team so that our team can confirm if that request is received.  

Microsoft may accept or reject any submission at our sole discretion that we determine does not meet the above criteria.  

GETTING STARTED [CLOSED]

Please create a test account and test tenants for security testing and probing.  

In all cases, where possible, please include the string “MSOBB” in your account name and/or tenant name to identify it as being used for security research. 

RESOURCES FOR PROGRAM PARTICIPANTS [CLOSED]

The Azure SSRF Research Challenge also provides resources to support research, including: 

  • Consolidated Azure product documentation to support SSRF hunting 
  • Direct communication channel with the Microsoft Cloud Security team 
  • Researchers who demonstrate novel or impactful SSRF vulnerabilities in Azure may be invited to discuss their findings with members of the Azure security team and featured in MSRC’s researcher spotlight.  

OUT OF SCOPE SUBMISSIONS AND VULNERABILITIES [CLOSED]

In addition to the OUT OF SCOPE SUBMISSIONS AND VULNERABILITIES noted in the Azure Bounty Program, the following is also out of scope for this SSRF challenge:  

  • Vulnerabilities that require the attacker to already have a presence on an Azure VM or Container instance on Azure will be awarded under the Azure Bounty Program. 

  • Vulnerabilities that require the attacker to already have compromised an Azure VM or Container instance on Azure; and 
  • SSRF vulnerabilities where the underlying issue is in an external product or third party. 

ADDITIONAL INFORMATION 

For additional information, please see our FAQ.  

  • If we receive multiple bug reports for the same issue from different parties, the bounty will be granted to the first submission. 
  • If a duplicate report provides us with new information that was previously unknown to Microsoft, we may award a differential to the duplicate submission.  
  • If a submission is potentially eligible for multiple bounty programs, you will receive the single highest payout award from a single bounty program. 
  • Microsoft reserves the right to reject any submission at our sole discretion that we determine does not meet these criteria. 

Thank you for participating in the Azure SSRF Challenge!  

REVISION HISTORY

  • August 19, 2021: The Azure SSRF Research Challenge launched. 
  • November 19, 2021: The Azure SSRF Research Challenge has concluded.