Server Side Request Forgery (SSRF) - Ravi-Upadhyay/cyber-security-playground GitHub Wiki

Server-side request forgery (also known as SSRF) is a web security vulnerability that allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain of the attacker's choosing.

• Explanation
• Risk Matrix
• Exploitations
• Fixes
  • Tips & Tricks
  • Code Snippets
• Resources Over Web
• To do list

The target application may have functionality for importing data from a URL, publishing data to a URL or otherwise reading data from a URL that can be tampered with. The attacker modifies the calls to this functionality by supplying a completely different URL or by manipulating how URLs are built (path traversal etc.)

Parameter tampering, allowing an attacker to send requests on behalf of the web application server, making it to appear internal for the victim server.

• Cloud server meta-data - For example AWS provide a REST interface on http://169.254.169.254/ where important configuration and keys can be extracted.
• Database HTTP interfaces.
• Internal REST interfaces.
• Files - using <file://> URIs

• Server Side Request Forgery is a severe vulnerability, so depending on the possible impact it can be considered as High risk or even Critical (especially if OS command execution can be achieved).

• A successful SSRF attack can often result in unauthorized actions or access to data within the organization, either in the vulnerable application itself or on other back-end systems that the application can communicate with. Often exploit trust relationships.
• In some situations, the SSRF vulnerability might allow an attacker to perform arbitrary command execution.

• One can use a tool called nmap to see all the open ports of a server (externally). For more details see Here
• To exploit, we can check common ports (internally) i.e. for checking sql port we can construct URL http://127.0.0.1. For the list of the common ports, see Here

• Avoid user input to make requests on behalf of server.
• All internal resources should have proper authentication mechanisms. It is common that security of internal systems as databases, mongoDB, Redis, ElasticSearch are not properly secured.
• Create white-list of the accepted IP address and DNS records of internal server connections.
• Disable unused URL schemas/ports. i.e. ftp://, file://, dict://

• Blacklist based input filters is not good option as there are several ways to circumvent. For more details Here

• Port Swigger - SSRF
• OWASP - SSRF
• OWASP - SSRF Bible PDF
• OWASP - Cheatsheet - SSRF
• Exploiting Open Internal Ports - List of common ports

[ ] Integrate the OWASP example or lab activity