SSRF attack - Server Side Request Forgery
OWASP
OWASP Web Security Testing Guide 4.2 > 7. Data Validation Testing > 7.19. Testing for Server-Side Request Forgery
ID | Link to Hackinglife | Link to OWASP | Description |
---|---|---|---|
7.19 | WSTG-INPV-19 | Testing for Server-Side Request Forgery | - Identify SSRF injection points. - Test if the injection points are exploitable. - Asses the severity of the vulnerability. |
Server-side request forgery (also known as SSRF) is a web security vulnerability that allows an attacker to induce the server-side application to make requests to an unintended location. The attacker could create a request to internet or to the intranet, which can be used to port scan or probe a remote machine. Basically, it could allow an atacker to:
- Take control of a remote machine.
- Read or update data.
- Read the server configuration.
- Connect to internal services...
With:
Exploitation
Load the Contents of a File
Read files from restricted resources
GET https://example.com/page?page=https://localhost:8080/admin
GET https://example.com/page?page=https://127.0.0.1:8080/admin
GET https://example.com/page?page=file:///etc/passwd
Read files from other backend systems
In some cases, the application server is able to interact with back-end systems that are not directly reachable by users. These systems often have non-routable private IP addresses.
GET https://example.com/page?page=https://localhost:3306/
GET https://example.com/page?page=https://localhost:6379/
GET https://example.com/page?page=https://localhost:8080/
Gopherus sends non authenticated requests to other services and it succedde
Techniques
Bypass blacklist-based input filters
Some applications block input containing hostnames like 127.0.0.1 and localhost, or sensitive URLs like /admin. In this situation, you can often circumvent the filter using the following techniques:
- Use an alternative IP representation of
127.0.0.1
, such as2130706433
,017700000001
, or127.1
. - Register your own domain name that resolves to
127.0.0.1
. You can usespoofed.burpcollaborator.net
for this purpose. - Obfuscate blocked strings using URL encoding or case variation.
- Provide a URL that you control, which redirects to the target URL. Try using different redirect codes, as well as different protocols for the target URL. For example, switching from an
http:
tohttps:
URL during the redirect has been shown to bypass some anti-SSRF filters.
Bypass whitelist-based input filters
Some applications only allow inputs that match, a whitelist of permitted values. The filter may look for a match at the beginning of the input, or contained within in it. You may be able to bypass this filter by exploiting inconsistencies in URL parsing.
- Using the
@
character to separate between the userinfo and the host: `https://expected-host:fakepassword@evil-host - URL fragmentation with the
#
character:https://attacker-domain#expected-domain
- You can leverage the DNS naming hierarchy to place required input into a fully-qualified DNS name that you control. For example: -
https://expected-host.evil-host
- URL encoding. Double URL-encode characters to confuse the URL-parsing code.
- Fuzzing
- Combinations of all of the above
Exploiting redirection vulnerabilities
It is sometimes possible to bypass filter-based defenses by exploiting an open redirection vulnerability.
Resources
Tools and payloads
- See updated chart: Attacks and tools for web pentesting.
- Gopherus.