SSRF

Server Side Request Forgery

Posted by D on January 11, 2020

Introduction to SSRF

SSRF.

  • According to OWASP, a Server-Side Request Forgery (SSRF) attack, the attacker can abuse functionality on the server to read or update internal resources.
  • The good thing about SSRF is that you cant chain it / a lot of possible attack vectors.
  • SSRF to Ports Scan, SSRF to Identify Internal Web Services, SSRF to Local File Read, SSRF to Data Leakage, etc.
  • Leveraging port smuggling

Two types of SSRF: External SSRF and Internal SSRF

External SSRF

  • Making outbound connections to a server you control
  • Making a pingback to a provided external URL
  • In some cases it allows you to get an internal IP or sensitive data
  • parses the content of a parameter using an external URL for example http://example.com/check?url=https://google.com
  • Doesn’t necessarily prove an exploitable SSRF scenario
  • In some case provide feedback through error or by design

Internal SSRF

  • Hitting internal services like grabbing metadata from an ASW host, discover internal hosts, and perform banner grabs from services.
  • Traverse internal networks & access internal administrative panels, routers, etc.
  • Scenario where forged requests can be routed internally example.com/lookup?url=localhost
  • Run port scans on internal IPs
  • Debug enpoints example.com/lookup?url=localhost/server-status

Lab URL

Public disclosure sample

Bypassing the blacklists

Resources and references

https://www.blackhat.com/docs/us-17/thursday/us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf

https://www.nginx.com/blog/trust-no-one-perils-of-trusting-user-input/

https://bugbountyforum.com/resources/#server-side-request-forgery

:
CATALOG
    FEATURED TAGS
    shadowsocks v2ray Broken Access Control XSS Recon linux_basic SecTools git Freedom psychology health web hacking food FastDFS nginx MySQL FreeBSD NTP authentication freebsd acme.sh let's encrypt