- Portswigger - SSRF
- Rana Khalil - SSRF Complete Guide
- Michael Sommer videos
- A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages!
- PayloadsAllTheThings - SSRF
- Hacktricks - SSRF
- Cracking the lens: targeting HTTP's hidden attack-surface
- Collaborator Everywhere
In simmple terms: Making the server side of the application make requests to unintended locations The attacker is exploiting the trust granted to requests originating from the machine hosting the web application and the internal systems Ask This Question: Are the URL parameters being properly validated at te backend?
- Port scan the network
- Enumerate the system, e.g.: Get the Instance Metadata
- Get access to restricted functionality
- Access sensitive data
- Remote Code Execution
- Regular/ In Band
- Blind / Out-of-Band
FROM
POST /some/endpoint HTTP/1.0
Host: mydomain
parameter=https://some-intended-endpoint.com/retrieving/something%3Fid%3D13TO
POST /some/endpoint HTTP/1.0
Host: mydomain
parameter=http://localhost/unintended-endpointUse:
- localhost
- 127.0.0.1
- Alternative representation of 127.0.0.1 => 2130706433, 017700000001, 127.1
- spoofed.burpcollaborator.net <= Resolves to 127.0.0.1
- Other backend system's IP - 192.168.0.x:portNumber
- nip.io <= Wildcard DNS for any IP Address
- Burp Suite Collaborator
- Requests expecting a url value to perform actions
- Requests fetching data from backend
- Identify requests that contain hostnames, IPs, or URLs
- Try the Referer Header
- Chain with an open redirect
- Automate with Extension - Collaborator Everywhere
- Walk throuhgh all the pages
- Try to understand the logic of the application
- Fuzz the parameter and tweak the payload to bypass defenses
- While exploiting a Blind SSRF, look for any differences between response (time, response status, etc)
Note: The Black-Box testing methodology steps are also followed
- Identify all request parameters that accept URLs
- Review security measures (blacklist, whitelist, etc) and see how to bypass them
Depends on the type of SSRF
- Determine if a port number can be specified
- Can you port-scan the internal network?
- Can you connect to other services on the loopoback address?
- Use bypass techniques - Check resources
- Try different representations of
localhostand127.0.0.1
- Try different representations of
- Encode the payload
- URL encoding
- DNS Rebinding attack - Register a domain name that resolves to internal IP address
- HTTP Redirection - Does the application has an open redirect vulnerability? Combine it with the SSRF and make requests to the desired system
- HTTP Redirection - Use your own server that redirects to an internal IP address
- Exploit inconsistencies in URL parsing
- Attempt to trigger an HTTP request to an external system under control
- Use Burp Collaborator
- Automate with Extension - Collaborator Everywhere
- Use bypass techniques - Check resources
Hidden attack surface
- Partial URL in requests
- URLs within data formats
- Referer header
- URL parsing discrepancies in the authority domain
- Compared cURL to the parses of other languages like PHP
- Nodejs - Unicode encoding to bypass filters
- NN for \xFF\x2E\xFF\x2E => the \xFF gets dropped so it becomes \x2E\x2E which is
.. - Same principle applies for CR-LF attacks => -* in unicode is U+FF0D U+FF0A which is
\r\n
- NN for \xFF\x2E\xFF\x2E => the \xFF gets dropped so it becomes \x2E\x2E which is