# SSRF

> [CWE-918: Server-Side Request Forgery (SSRF)](https://cwe.mitre.org/data/definitions/918.html)

* When an API fetches a remote resource without validating the user-supplied URL.
* The attacker can force the app to send a request to an unexpected destination, such as localhost, bypassing firewalls or VPNs.

The web API stores the path of the files using the `file` URI scheme, which is used to represent local file paths (Figure 1). 

<figure><img src="https://3960676229-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FmjLkek16kB60c2WFd5lf%2Fuploads%2FJf7yNGxuJtkUDLY1Q4TI%2Fhtb_api_ssrf_1.png?alt=media&#x26;token=4eb0b6a7-9a95-4e18-a36a-ce21cbd6d468" alt=""><figcaption><p>Figure 1: Finding a potential vulnerable-to-SSRF endpoint.</p></figcaption></figure>

This path is stored under the `/supplier-companies/current-user` endpoint (Figure 2).

<figure><img src="https://3960676229-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FmjLkek16kB60c2WFd5lf%2Fuploads%2FSVci0v5cMwytUExJslJM%2Fhtb_api_ssrf_2.png?alt=media&#x26;token=d525e4b7-e60d-4780-9c0f-6452ba42f863" alt=""><figcaption><p>Figure 2: The URI path is now stored in the application.</p></figcaption></figure>

The `/api/v1/supplier-companies` `PATCH` endpoint allows the user to modify the URI path (Figure 3); this should not be the case as it should be dynamically set only by the value defined by the `/api/v1/supplier-companies/certificates-of-incorporation` `POST` endpoint.

<figure><img src="https://3960676229-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FmjLkek16kB60c2WFd5lf%2Fuploads%2FJDlrb2k5aOzyQr7krSrI%2Fhtb_api_ssrf_3.png?alt=media&#x26;token=5984c64b-a20e-4863-baa6-59c9630a286b" alt=""><figcaption><p>Figure 3: The URI path can be manually modified by the user.</p></figcaption></figure>

An attacker could leverage this flaw and read a local file, such as `/etc/passwd` (Figure 4).

<figure><img src="https://3960676229-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FmjLkek16kB60c2WFd5lf%2Fuploads%2F9azvYRin5eLiNPtRvP3p%2Fhtb_api_ssrf_4.png?alt=media&#x26;token=11df4173-9bf4-4fd8-ab5f-758a5a060256" alt=""><figcaption><p>Figure 4: Leveraging SSRF to read a local file.</p></figcaption></figure>

## Exercise

<figure><img src="https://3960676229-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FmjLkek16kB60c2WFd5lf%2Fuploads%2FlwRL6agquUTEFTDvhiO5%2Fhtb_api_ssrf_ex.png?alt=media&#x26;token=28c05215-826c-44e0-a6ca-0010a9209ab7" alt=""><figcaption><p>Figure 5: Exploiting another SSRF vulnerability.</p></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://x7331.gitbook.io/notes/htb/api-attacks/ssrf.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.