Notes
  • Welcome!
  • Windows Shells
    • Introduction
    • Command Prompt
      • Basics
      • Host Enumeration
      • Files & Directories
      • Environment Variables
      • Managing Services
      • Scheduled Tasks
      • Help
    • PowerShell
      • PowerShell vs. CMD
      • Basics
      • CmdLets & Modules
      • User & Group Management
      • Files & Dirs
      • Finding & Filtering
      • Services
      • Registry
      • Windows Event Log
      • Networking Management
      • Web Interaction
      • Scripting
      • Help
  • Windows
    • Commands
    • NTFS
  • APISEC
    • API Testing
      • Recon
      • Endpoint Analysis
      • Finding Security Misconfigurations
      • Authentication Attacks
      • Exploiting API Authorization
        • BOLA
        • BFLA
      • Improper Assets Management
      • Mass Assignment Attacks
      • SSRF
      • Injection Attacks
      • Evasion & Chaining
    • API Authentication
      • Authentication Types
      • OAuth Actors
      • OAuth Interaction Patterns
      • JSON Web Tokens
      • Claims
      • APIs & Gateways
  • PostSwigger
    • Web LLM Attacks
      • Overview
      • Exploiting LLM APIs, function, & Plugins
      • Indirect Prompt Injection
      • Leaking Sensitive Data
      • Defending Against LLM Attacks
    • JWT Attacks
      • JWTs
      • Attacks
        • Flawed Signature Verfication
        • Brute-forcing Secret Keys
        • JWT Header Parameter Injections
        • Algorithm Confusion
      • Prevention
    • OAuth
      • General Information
      • Exploiting OAuth Authentication Flaws
        • Flaws in Client Application
        • Flaws in the OAuth Service
      • OpenID
  • Red Teaming LLM Applications
    • LLM Vulnerabilities
    • Red Teaming LLMs
    • Red Teaming at Scale
    • Red Teaming LLMs with LLMs
    • Red Teaming Assessment
  • Fin
    • Course 1: Basics
      • Stocks
        • General Information
        • Shares
        • Stock Basics
      • Bonds
        • General Information
        • Components
        • Valuation
      • Markets
        • What is the Stock Market
        • What is the FED
    • Course 2: Stock Investing
  • Other
    • Learning Resources
Powered by GitBook
On this page
  1. HTB
  2. API Attacks

SSRF

Last updated 10 months ago

  • When an API fetches a remote resource without validating the user-supplied URL.

  • The attacker can force the app to send a request to an unexpected destination, such as localhost, bypassing firewalls or VPNs.

The web API stores the path of the files using the file URI scheme, which is used to represent local file paths (Figure 1).

This path is stored under the /supplier-companies/current-user endpoint (Figure 2).

The /api/v1/supplier-companies PATCH endpoint allows the user to modify the URI path (Figure 3); this should not be the case as it should be dynamically set only by the value defined by the /api/v1/supplier-companies/certificates-of-incorporation POST endpoint.

An attacker could leverage this flaw and read a local file, such as /etc/passwd (Figure 4).

Exercise

CWE-918: Server-Side Request Forgery (SSRF)
Figure 1: Finding a potential vulnerable-to-SSRF endpoint.
Figure 2: The URI path is now stored in the application.
Figure 3: The URI path can be manually modified by the user.
Figure 4: Leveraging SSRF to read a local file.
Figure 5: Exploiting another SSRF vulnerability.