SSRF

Server-Side Request Forgery (SSRF) is a vulnerability where an attacker tricks a server into making requests to internal or external systems that the attacker cannot directly access.

This can expose internal services or data, lead to unauthorized access, or even enable attacks such as scanning internal networks or accessing sensitive information.

Validate and sanitize user inputs, restrict outbound requests, use network segmentation to limit access to internal services, and apply strict whitelisting for allowed URLs or IPs.

General Information

We are searching for request that have:

Include full URLs in the POST body or parameters
Include full or partial URL paths in the POST body or parameters
Headers that include URLs, such as Referer
Allow for user input that may result in a server retrieving resources

To test SSRF we can use Burp's Collaborator or free alternatives, such as:

Automated tools can be use to check for SSRF, such as SSRFmap.

Examples

Typical Flaws

The below example is based on PortSwigger's SSRF module.

The /admin directory is restricted to normal users and is accessible only to administrator and if someone request it from localhost (Figure 1).

The Check Stock functionality makes a call to an external resource (Figure 2).

The stockApi parameter is vulnerable to SSRF and can be leverage to perform administrative operations (Figure 3).

The below example is based on the crAPI application.

Encoding Payloads

The below example is based on HTB's Web Service & API Attacks module.

The payload might need to be encoded for the SSRF to work (Figure 6).

# Encoding the payload
$ echo http://10.10.15.28 | tr -d '\n' | base64
aHR0cDovLzEwLjEwLjE1LjI4

URI Paths

The below example is based on HTB's API Attacks module.

PreviousMass Assignment NextUnrestriced Resource Consumption

Last updated 11 months ago

Was this helpful?