SSRF attack - Server side Request Forgery
General index of the course
- Setting up the environment
- Api Reconnaissance.
- Endpoint Analysis.
- Scanning APIS.
- API Authorization Attacks.
- Exploiting API Authorization.
- Testing for Improper Assets Management.
- Mass Assignment.
- Server side Request Forgery.
- Injection Attacks.
- Evasion and Combining techniques.
- Setting up the labs + Writeups
This vulnerability allows an attacker to supply URLs that expose private data, scan the target's internal network, or compromise the target through remote code execution.
Identify endpoints
Read your collection throughfully and search for requests that:
- Include full URLs in the POST body or parameters
- Include URL paths (or partial URLs) in the POST body or parameters
- Headers that include URLs like Referer
- Allows for user input that may result in a server retrieving resources
SSRF types
In-Band SSRF
A URL is specified as an attack. The request is sent and the content of your supplied URL is displayed back to you in a response.
A possible endpoint:
SSRF code:
Blind SSRF
It's similar to In-Band attack. In this case, the response is returned and we do not have any indication that the server is vulnerable:
But, there is a way to test it. Burp Suite Pro has a great tool called Burp Suite Collaborator. Collaborator can be leveraged to set up a web server that will provide us with the details of any requests that are made to our random URL.
Tools to test Blind SSRF
Free:
- https://webhook.site
- http://pingb.in/
- https://requestbin.com/
- https://canarytokens.org/
Paid:
- Burp Collaborator.