Table of Contents
Server-Side Request Forgery SSRF
Impact of SSRF:
1: Internal Network Scanning (Port Scan).
2: Remote Code Execution (RCE).
3: Application Level DoS (Denial of Service).
Types of SSRF Vulnerabilities:
1: Regular (In Band) Getting a response from the payload from the site.
2: Blind (Out of Band) No response to payload.
Brief overview (Hunting Approach):
1: Finding Requests containing Hostname, IP, Full URLs.
2: Modifying its value to Malicious Payload.
3: Analyzing Response.
Blind SSRF Hunting:
1: Attacker-controlled server URL is used as a payload.
Bad security practices and their Bypass:
Blacklist using Regular Expression or Keyword:
Bypass Blacklist:
A. Using encoding:
1: Decimal encoded version of 127.0.0.1 is 2130706433.
2: 127.1 resolves to 127.0.0.1
3: Octal representation of 127.0.0.1 is 01770000001
B. DNS Rebinding (Domain with Internal IP).
C. HTTP Redirection (Server that redirects to Internal IP).
D. Exploiting URL Parser.
What is the impact of SSRF attacks?
Answer: A successful SSRF attack can often result in unauthorized actions or access to data within the organization, either in the vulnerable application itself or on other back-end systems that the application can communicate with. In certain situations, the SSRF vulnerability may enable an attacker to execute arbitrary commands.
An SSRF exploit that causes connections to external third-party systems might result in malicious onward attacks appearing to originate from the organization hosting the vulnerable application.
