SSRF
The website server make HTTP requests to the attacker domain.
Server side request forgery Induce the server-side application to make HTTP requests to an random domain of the attacker's choosing.
Exploiting
SSRF against the server itself
Attacker induces the application to make an HTTP request back to the server that is hosting the application, via its loopback network interface for example: http://localhost/admin.
SSRF against other back-end systems
Attacker can exploit the SSRF vulnerability to access the other interface by submitting a internal HTTP request (http://192.168.1.105/admin).
Blind SSRF vulnerabilities
Response from the back-end request is not returned in the application's front-end response.
Find vulnerability:
Observe a DNS look-up for the supplied Burp Collaborator domain.
Example (Blind SSRF with Shellshock exploitation):
Bypass
Bypass blacklist-based
Change "127.0.0.1" to:
Registering your own domain name that resolves to 127.0.0.1. You can use
spoofed.burpcollaborator.netfor this purpose.Obfuscating blocked strings using URL encoding or case variation.
Example:
Bypass whitelist-based
Using "@" char
https://expected-host@evil-host.netUsing "#" char
https://evil-host#expected-host.netCreate a invalid domain
https://expected-host.evil-host.netUse URL-encode characters to confuse the URL-parsing code
http://localhost:80%2523@evil-host.net/admin
Bypassing SSRF filters via open redirection
Example 1:
/product/nextProduct?currentProductId=6&path=http://192.168.0.68/admin
Example 2:
If "/product/stock" vulnerable to SSRF and /nextProduct vulnerable to OpenRedirect, Then:
Last updated
