Server Side Request Forgery

What is Server-Side-Request-Forgery ? , What are the different types of SSRF , What are the areas in the application can find SSRF , Different Bypassess for SSRF , What is Impact and Mitigation for SSRF ?

Defination

When an attacker allow to make a request to the internal server of the application so attacker can abuse a functionality to read or update the internal resources.

Types of SSRF

1. Basic (SSRF) : When an attacker make a request to the internal server and without validation the server send a response back to the attacker. lead to data leakage like ( Meta-Data of server , Port-Scanning , Different Services running on application)

2. Blind (SSRF): When an attacker make request to internal server of the application but not able to see the response directly into the page. To see the response can used two tools ( “Burp Suite Collaborator“ or “Interact.sh“ ).

Different areas to find SSRF

1. If the application has Upload Functionality. Different payloads can try to get the internal server details.

2. If the application Screenshot , Generate/Download PDF Functionality can try SSRF payloads.

3. In the application can inject HTML can get juicy information about serrver.

4. If the application has Callback Functionality can check the SSRF.

5. In the application using GraphQL API try SSRF payloads.

6. Application is using JSON/XML file extension can send the SSRF payload in between to get server information.

7. Application using functionality called “Open Redirect“ check.

8. With the help of “WaybackUrl / Waymore“ tool grab the “JS“ file and FUZZ the different Endpoints.

   

Different Bypass to find SSRF

1. To make request to internal Server send payload in “Encoded character“

2. Using “Different Protocol“ to get the internal details.

3. Using different “Localhost Representation“ (“http://127.0.0.1“ , “http://127.1“ , “http://0.0.0.0“ , “http://localhost“).

4. If the server is blocking the above parameter can use “nip,io“ to bypass ( “http://127.0.0.1.nip.io“)

5. With the help of “URL Parser“ ( “http://127.0.0.1@@127.0.0.1”)

6. Use “DNS Rebinding“ (“http://rebinder.html“)

Different Vulnerability chain with SSRF

1. Remote-Code-Execution : If the attacker got the some service where it allow Command Injection. ( “Docker“ , “Redis“ , “Webhook“)

2. Local-File-Inclusion : If the attacker fetch the remote urls using ( “php://“ , “file://“). Access internal file like (“/etc/passwd“ , “/var/www/html/config/php/“). PHP wrapper send the data.

3. Open Redirect : If the application has functionality like “Redirect“. Change to the SSRF payload

4. Port Scanning : If the attacker used to scan the intenal service running on different ports.

5. Cloud Meta-Data API Exploitation : Attacker make request to the internal server where server is running on cloud instance. ( “http://169.254.169.254/latest/meta-data/iam/security-crdentials“)

6. Cross-Site-Request-Forgery : if the attacker got internal server where admin panel is running with the help of SSRF can change the password.

Impact

1. Reputation and Finanical Damage : Data breaches and security incidents damage an organization reputation and lead to loss of customer trust.

2. Access to internal Service : If an attacker get an access to internal service. may leak an internal service details which is sensitive and even control the internal system.

3. Data Exfiltration : An attacker use SSRF to exfiltrate data from internal service.

Mitigation

1. Sanitize and Validate all the input supplied by client.

2. Don’t send raw response to the client.

3. Create a list of all allow parameters.

4. Be Aware of URL consistency to avoid “DNS Rebinding“ attack.

5. Disbale HTTP Redirection.

6. Don’t use Coding libraries which potentially harmful ( “PHP Wrapper“ , “Python (urllib) “, “Java(class)“.

7. Use Caching technique that not make multiple request to the server.