Mastering Server-side Request Forgery (SSRF): Exploitation Techniques and Practical Labs

Hello Amazing Hacker’s !! I am excited to announce that I am sharing my learnings, learning together, hunting, growing our skills and knowledge, and making a small contribution to the community! My name is Anmol Vishwakarma (also known as Asmodeus). I am a final year student of MCA and a beginner in the cyber security domain. As someone who is eager to learn and explore new opportunities, I am thrilled to be a part of this community.

Today’s topic is Server-side Request Forgery (SSRF), also known as SSRF! Let’s dive into the topic.

What is SSRF?

Server-side Request Forgery (SSRF) is a web application vulnerability that allows attackers to make unauthorized requests from the server to other internal or external systems. The attack exploits the trust that the server places in its own requests and allows attackers to manipulate the server into performing unintended actions. The exploitation of SSRF can lead to severe consequences, including data breaches, sensitive information leakage, and even complete server compromise. As such, it is a critical security issue that requires careful attention and mitigation.

How Does SSRF Work? Understanding the Mechanisms Behind Server-Side Request Forgery?

SSRF is a web application vulnerability that exploits a trust relationship between the server and other systems it interacts with. In SSRF, an attacker can manipulate a server to send unauthorized requests to internal or external systems. This is achieved by exploiting input validation vulnerabilities in the web application that do not properly sanitize user input or parameters in URLs, cookies, or HTTP headers.

The attacker can craft a malicious request with a URL or IP address that points to an internal system that should not be accessible from the outside, such as a database server, network appliance, or backend application. The server, believing that the request is legitimate, will send the request to the target system and receive a response. The attacker can then extract sensitive information from the response, use the response to launch further attacks, or simply use the server as a proxy to make requests to other external systems.

One of the key mechanisms behind SSRF is the trust relationship that servers place in their own requests. Servers often need to interact with other systems, such as databases, DNS servers, or other backend applications, and they trust their own requests to these systems. This trust relationship can be exploited by attackers to manipulate the server into making unauthorized requests.

Another mechanism behind SSRF is the improper input validation that allows attackers to inject malicious input into the web application. This can occur when user input or parameters are not properly validated or sanitized, allowing attackers to insert URLs or IP addresses that point to internal or external systems.

How SSRF Work?

SSRF works by exploiting a vulnerability in web applications that allows attackers to manipulate the server into sending unauthorized requests to other internal or external systems.

Here is a breakdown of how SSRF works:

1. Attacker sends a request to the vulnerable server: The attacker sends a request to the web application server that contains a specially crafted URL. This URL tricks the server into thinking that the request originated from a trusted source.
2. Server blindly trusts its own requests: The web application server blindly trusts its own requests and fails to properly validate the target URL specified in the request.
3. Attacker manipulates the request: The attacker can then manipulate the request to target other internal or external systems, including databases, internal network resources, or other third-party services. By doing so, the attacker can extract sensitive data or perform other malicious actions.
4. Server executes the unauthorized request: The server then sends the unauthorized request to the specified target, with the same permissions and privileges as the trusted server itself. This can lead to unauthorized access and exploitation of the target system.

Types of SSRF attacks?

There are several types of SSRF attacks, including:

1. Basic SSRF: An attacker sends a crafted request to the vulnerable application, which in turn makes a request to a remote server with the attacker’s chosen URL.
2. Blind SSRF: This type of attack is carried out when the response from the remote server is not visible to the attacker. Instead, the attacker relies on indirect evidence to determine if the attack was successful.
3. Out-of-band SSRF: In this type of attack, the attacker can control the DNS or a similar service of the target network to receive data from the remote server.
4. Cross-protocol SSRF: This type of attack involves sending requests to non-HTTP protocols, such as FTP, SMTP, or Telnet, in order to interact with other internal systems.
5. Advanced SSRF: This is a more sophisticated type of attack that involves chaining multiple SSRF vulnerabilities together to gain access to additional internal systems or sensitive information.

Where We Look For SSRF features?

Common features that can lead to SSRF vulnerabilities

1. User-supplied input: SSRF often occurs when user-supplied input is not properly validated or sanitized. Attackers can use user-supplied input to craft malicious URLs that target internal or external systems.
2. Improper URL validation: Web applications that do not properly validate URLs can be vulnerable to SSRF attacks. Attackers can manipulate URLs to target internal systems, bypassing security controls and restrictions.
3. XML or JSON parsing: Web applications that use XML or JSON parsing can be vulnerable to SSRF attacks. Attackers can use malicious input to trick the parser into sending requests to other systems.
4. File inclusion/ Upload features: Web applications that have file inclusion vulnerabilities, such as local file inclusion (LFI) or remote file inclusion (RFI), can be vulnerable to SSRF attacks. Attackers can use these vulnerabilities to send unauthorized requests to other systems.
5. SSRF via DNS rebinding: Web applications that use DNS rebinding can be vulnerable to SSRF attacks. Attackers can use this technique to bypass restrictions and send unauthorized requests to internal systems.
6. Access to internal metadata: Web applications that provide access to internal metadata, such as AWS metadata, can be vulnerable to SSRF attacks. Attackers can use this information to send unauthorized requests to other systems.
7. Backend services: Web applications that rely on backend services, such as databases or message queues, can be vulnerable to SSRF attacks. Attackers can use SSRF to send unauthorized requests to these services.
8. FTP or SMTP interactions: Web applications that interact with FTP or SMTP servers can be vulnerable to SSRF attacks. Attackers can use SSRF to send unauthorized requests to these servers.
9. Cloud-based functions: Web applications that use cloud-based functions, such as AWS Lambda or Google Cloud Functions, can be vulnerable to SSRF Attack
10. Image processing libraries: Web applications that use image processing libraries, such as ImageMagick or GD, can be vulnerable to SSRF attacks. Attackers can use these libraries to send unauthorized requests to other systems.

SSRF Bypass

Bypassing SSRF filters via open redirection: Bypassing SSRF filters via open redirection is a technique that attackers can use to bypass certain SSRF protections. The basic idea is to use an open redirection vulnerability in the target application to redirect the SSRF request to an external domain controlled by the attacker.

To do this, the attacker needs to find an open redirection vulnerability in the target application. An open redirection vulnerability is a type of web application vulnerability that allows an attacker to craft a URL that will redirect the user to an arbitrary website. The attacker can then use this vulnerability to redirect the SSRF request to an external domain controlled by the attacker, bypassing any SSRF filters that may be in place.

To prevent this type of attack, it is important to ensure that any open redirection vulnerabilities in your application are properly identified and fixed. You should also ensure that your application’s SSRF filters are designed to detect and block requests that are redirected to external domains.

It is important to note that attempting to bypass security measures without proper authorization is illegal and can result in severe consequences. It is always best to work with the system owner or a security team to identify and mitigate vulnerabilities in a responsible manner.

How to Prevent From SSRF Attacks?

There are several steps you can take to prevent SSRF vulnerabilities in your applications:

1. Input validation: Validate and sanitize all user inputs to ensure that they contain only expected values and do not include any malicious inputs that can trigger an SSRF vulnerability.
2. Whitelist-based filtering: Use a whitelist-based filtering approach that only allows requests to specific trusted domains and IP addresses. Any other requests should be blocked.
3. URL validation: Validate all URLs that are used in requests to ensure that they are not pointing to internal resources and only point to the intended external resources.
4. Firewall and network segmentation: Use firewalls and network segmentation to isolate servers and services that are accessible from the internet from those that are only accessible from internal networks.
5. Containerization: Use containerization technologies to isolate services and applications from the underlying system, making it harder for an attacker to exploit an SSRF vulnerability.
6. Limiting server resources: Limit the resources that the server can access by running the application in a sandboxed environment with limited access to the file system, network interfaces, and other resources.
7. Security testing: Conduct regular security testing, including penetration testing and vulnerability scanning, to identify and address any vulnerabilities, including SSRF, that may exist in your applications.

Labs and Resources to learn SSRF

Labs:

1. Portswigger SSRF
2. Pentesterlab SSRF

Blogs / writeups / POC

1. https://pentester.land/writeups/
2. https://www.youtube.com/watch?v=TrRmMxUT8wk&list=PL9VLN4DOjAsjjAZiPf_vbGp9eGufX7lKY

That concludes today’s discussion on various topics related to SSRF. I hope you found this tutorial informative and helpful in understanding the mechanisms, types, and prevention techniques of SSRF attacks. Stay tuned for more updates and tutorials on cybersecurity. Thank you for reading!

You can follow me on my Social Account

1. LinkedIn
2. twitter
3. Instagram