Exploitation
This can expose sensitive data, access internal networks, and interact with services not intended to be accessible.
Validate and sanitize user inputs, restrict outbound requests, and use network segmentation to limit access to internal services.
Instance Metadata in Cloud
Many cloud providers offer internal services that provide VMs with configuration metadata, like SSH public keys. AWS uses the address 169.254.169.254 for this, while GCP uses metadata.google.internal, which might include private credentials. These metadata services can sometimes be modified using POST or PUT requests. If we can only send GET requests, we can only read metadata. However, if we can update the metadata, we could potentially gain access to the environment by adding our own SSH key to the list of authorized keys.
Authentication in Microservices
Applications in containers or microservices often have fewer security controls and rely on systems like API gateways or reverse proxies to enforce them. If we exploit an SSRF flaw in one application or microservice, we might be able to make it communicate directly with another microservice, bypassing security controls. This means any protections enforced by the API gateway on incoming traffic would not apply to traffic between the two microservices, as it originates from within the internal network.
Alternative URL Schemes
Depending on the user-agent that generates the forged request, we might be able to use protocols other than HTTP.
The
filescheme allows us to reference files on the target server and requires a host and a path. However, we can omit the host value by using/that indicates there is no hostname (file:/tmp/foo.txt) or///to indicate an empty hostname (file:///tmp/foo.txt).The
Gopherprotocol can be used to bypass some of the restrictions of a traditional SSRF flaw, as it allows newline characters in URLs which can be used to inject headers on the request. For an example on how to leverage thegopherprotocol via a SSRF flaw see here.
Last updated
Was this helpful?