Web apps can trigger inter-server requests, typically used to access outside resources ( software updates or import data from a URL, for ex)
SSRF allows an attacker to modify a parameter used on the web app to create or control requests from the server
Server interacts with a URL supplied by attacker to read or update its internal resources
Attacker can supply a URL or modify a URL using path traversal, for example
Attacker can use SSRF attacks to target internal systems that are behind firewalls
Attacker may services available through the loopback interface (127.0.0.1) of the exploited server.
Attacker may be able to read server-side configuration, extract authentication keys, connect and/or perform POST requests to internal services, read files using file://URL, etc.
Impact
Scan ports and IP addresses. How?
Interact with some protocols.
Discover the IP addresses of servers running behind a reverse proxy.
RCE.
RCE via SSRF
RCE can be achieved y pushing asynchronous jobs on a Redis (key:value database) queue that then get executed by an application using the gopher:// protocol.
Many Redis instances don’t use any form of authentication, which makes the attacker easier.
Mitigation
whitelist the DNS name or IP address that your application needs to access
To prevent response data leaking, make sure the received response is as expected
Only allow HTTP and HTTPS schemes
Enable authentication for services on the local network
Tools
Netsparker. Does it provide value that burp doesn't?