In this section, we’ll explain what server-side request forgery is, describe some common examples, and explain how to find and exploit various kinds of SSRF vulnerabilities.
Server-side request forgery (also known as SSRF) is a web security vulnerability that allows an attacker to induce the server-side application to make requests to an unintended location.
In a typical SSRF attack, the attacker might cause the server to make a connection to internal-only services within the organization’s infrastructure.
In other cases, they may be able to force the server to connect to arbitrary external systems, potentially leaking sensitive data such as authorization credentials.
Server-Side Request Forgery, also known as SSRF, refers to an attack that lets an attacker send crafted requests from the back-end server of a vulnerable web application.
SSRF is commonly used by attackers to target internal networks that are behind firewalls and can not be reached from an external network.
When the attacker has complete or partial control over the request that the web application sends, SSRF vulnerabilities occur.
If the vulnerable web application processes the user-supplied URLs, then the application is vulnerable to SSRF attacks.
Cross-Site Port Attack (XSPA) is also part of SSRF. In XSPA, an attacker can scan the open port of a targeted web server with the help of a vulnerable web application that is processing the user’s URL.
SSRF attacks often exploit trust relationships to escalate an attack from the vulnerable application and perform unauthorized actions.
These trust relationships might exist in relation to the server itself, or to other back-end systems within the same organization.
If the user-supplied URL is processed and the back-end response is not sanitized, then the attack can lead to several impacts, like:
In an SSRF attack against the server itself, the attacker induces the application to make an HTTP request back to the server that is hosting the application via its loopback network interface.
This will typically involve supplying a URL with a hostname like 127.0.0.1 (a reserved IP address that points to the loopback adapter) or localhost (a commonly used name for the same adapter).
For example, consider a shopping application that lets the user view whether an item is in stock in a particular store.
To provide stock information, the application must query various back-end REST APIs, depending on the product and store in question.
The function is implemented by passing the URL to the relevant back-end API endpoint via a front-end HTTP request. So when a user views the stock status for an item, their browser makes a request like this:
POST /product/stock HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 118
stockApi=http://stock.weliketoshop.net:8080/product/stock/check%3FproductId%3D6%26storeId%3D1
This causes the server to make a request to the specified URL, retrieve the stock status, and return this to the user.
In this situation, an attacker can modify the request to specify a URL local to the server itself. For example:
POST /product/stock HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 118
stockApi=http://localhost/admin
Here, the server will fetch the contents of the /admin URL and return it to the user.
Of course, the attacker could just visit the /admin URL directly. But the administrative functionality is ordinarily accessible only to suitable authenticated users.
So an attacker who simply visits the URL directly won’t see anything of interest. However, when the request to the /admin URL comes from the local machine itself, the normal access controls are bypassed.
The application grants full access to the administrative functionality, because the request appears to originate from a trusted location.
Why do applications behave in this way, and implicitly trust requests that come from the local machine? This can arise for various reasons:
Another type of trust relationship that often arises with server-side request forgery is where the application server is able to interact with other back-end systems that are not directly reachable by users.
These systems often have non-routable private IP addresses. Since the network topology typically protects the back-end systems, they frequently have a weaker security posture.
In many cases, internal back-end systems have sensitive functionality that anyone with access to the systems can access without authentication.
In the preceding example, suppose there is an administrative interface at the back end. Here, an attacker can exploit the SSRF vulnerability to access the administrative interface by submitting the following request:
POST /product/stock HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 118
stockApi=http://192.168.0.68/admin
It is common to see applications containing SSRF behavior together with defenses aimed at preventing malicious exploitation. Often, these defenses can be circumvented.
Some applications block input containing hostnames like 127.0.0.1 and localhost, or sensitive URLs like /admin. In this situation, you can often circumvent the filter using various techniques:
Some applications only allow input that matches, begins with, or contains, a whitelist of permitted values. In this situation, you can sometimes circumvent the filter by exploiting inconsistencies in URL parsing.
The URL specification contains a number of features that are liable to be overlooked when implementing ad hoc parsing and validation of URLs:
https://expected-host:fakepassword@evil-host
You can use the # character to indicate a URL fragment. For example:
https://evil-host#expected-host
You can leverage the DNS naming hierarchy to place required input into a fully-qualified DNS name that you control. For example:
https://expected-host.evil-host
An exploit of Server-side request forgery (SSRF)
Whilst I was the main developer of this project, this project couldn’t of even started without the help of these open source projects, special thanks to:
This is an example of how you may give instructions on setting up your project locally. To get a local copy up and running follow these simple example steps.
git clone https://github.com/errorfiathck/ssrf-exploit.git
2. cd to directory
cd ssrf-exploit
3. Run the script as an example:
python3 ssrf-exploition.py --help
4. Have fun!
Kali Linux 2024.4, the final release of 2024, brings a wide range of updates and…
This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tracing for…
GPOHunter is a comprehensive tool designed to analyze and identify security misconfigurations in Active Directory…
Across small-to-medium enterprises (SMEs) and managed service providers (MSPs), the top priority for cybersecurity leaders…
The free and open-source security platform SecHub, provides a central API to test software with…
Don't worry if there are any bugs in the tool, we will try to fix…