SSRF
What is it?
Server-Side Request Forgery (SSRF) is a vulnerability that allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain of the attacker's choosing. It can be used by an attacker to interact with internal systems, possibly bypassing firewalls or accessing unauthorized data.
A simple example
A vulnerable web application uses a parameter to retrieve an image from a URL, i.e., /loadImage?url={imageURL}. An attacker can potentially change the {imageURL} to point to internal resources that should not be exposed, such as http://localhost/admin or http://internal-service/api/secrets.
The impact of an SSRF vulnerability includes:
Access to internal services and data
Remote code execution
Denial of Service (DoS)
Other learning resources:
PortSwigger: https://portswigger.net/web-security/ssrf
Swisskyrepo: https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Request%20Forgery
Checklist
Identify all points where the application makes a server-side HTTP request
URL parameters
Form fields
HTTP headers
Examine the application's handling of URL redirection
Test different URI schemes http, https, file, ftp, etc.
Does the application accept IP addresses (e.g., 127.0.0.1) or localhost as the hostname?
Test for internal network interactions
Can you map out the internal network infrastructure (port scanning, banner grabbing)?
Test for remote file inclusion
Test for cloud metadata exposure (relevant for cloud-based services) Amazon AWS, Google Cloud, etc.
Is there a blocklist?
Can you bypass the blocklist?
Encoding Hostname obfuscation
Alternative IP notation (e.g. 127.0.0.1 in hex is 0x7f.0x0.0x0.0x1)
Hex, Hex with extra 0s, Octal, two numbers, three numbers, etc
Exploitation
# Basic internal interaction
http://localhost/admin
# Using alternative IP notation (for 127.0.0.1)
http://2130706433
# Cloud metadata exposure (AWS)
http://169.254.169.254/latest/meta-data/Last updated