SSRF
Theory
Server-Side Request Forgery (SSRF) is a vulnerability in which an attacker can send a controlled, crafted request via a vulnerable application. We can communicate with different services running on different protocols by utilizing URI schemes. Getting a server to issue a request is not a vulnerability in itself, but it becomes one when you can make requests to things you wouldn’t or shouldn’t normally have access to, such as internal networks or internal services.
Articles to read:
Detection:
Webhooks: Check out parameters such as /file=, /path=, /src= to see if the application can send request only to whitelisted applications. Eg: https://hackerone.com/reports/398641
PDF Generators :
HTML or PDF generators, where a headless browser or similar is used in a privileged network position to generate a preview or PDF.
Can I upload HTML” and if so, “What happens if that HTML fetches external resources”? Check content-Type : Body :
Document parsers: Check for file upload features. Test file parsers.
Instead of uploading a file, try sending a URL and see if it downloads the content of the URL. Ref:https://hackerone.com/reports/713
E-mail ID field on sign-up pages.
user@abc123.burpcollaborator.net
user@1.2.3.4.xip.io
Payloads
Bypass white-list filters:
Create a domain that resolves to 127.0.0.1.
Create a target.myowndomain.com that resolves to 127.0.0.1
http://127.0.0.1:6868%2fstatus%2f?q=http://<white-listed keyword>
Use a custom domain and point it to the target's IP.
https://realurl.com#@evil.com
https://admin:password@www.realurl.com:80@domain.com
Identify other open-redirect vulnerabilities.
Bypass black-list filters:
Decimal & Octal notation.
URL Encoding.
Blind SSRF
Use JS to exfil data.
What is xip.io?
xip.io is a magic domain name that provides wildcard DNS for any IP address. Say your LAN IP address is 10.0.0.1.
Eg: http://169.254.169.254.xip.io/latest
You can use these domains to access virtual hosts on your development web server from devices on your local network, like iPads, iPhones, and other computers.
Protocols
gopher:// (File Distribution)
dict:// ( dictionary network protocol)
ftp:// (File Transfer Protocol)
file:// (File URI Scheme)
ldap:// ( Lightweight Directory Access Protocol)
Port-scan on Target
-c : Output with colours
-z : Payload
--hl=2 : Remove all responses '2'
Advanced Attacks
Exploiting SSRF via SMTP : Write-up : https://hackerone.com/reports/392859
DNS Listener:
tcpdump -n udp port 53 | grep "abc.domain.com"
Firewall Bypasses
Owning the Cloud Through SSRF
Cloud Metadata:
Accessible internally through the machine you have access to. [AWS :
http://169.254.169.254/
]Provides details like internal IP, hostname, Secret keys.
Reference:https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html
Elastic Beanstalk
Then we use the credentials with aws s3 ls s3://elasticbeanstalk-us-east-2-[ACCOUNT_ID]/
Last updated