What is SSRF?
SSRF (Server Side Request Forgery) is the attack that allows an attacker to send a request on behalf of the server, It is a web to network level attack that compromises the internal machines, basically, a request being getting forged and sending it to the victim’s server. The risk of SSRF may depend on how much information is being accessed, from low to critical
SSRF Types
Typical SSRF
This is the basic SSRF, when an attacker can see the response of their malicious payload getting executed. Here we are able to perform read/write operation In the response
Blind SSRF
In this type, the attacker can’t actually see the payload response, but they can see if the outbound connection has been done or not via providing there server URL. Here an attacker has to log the output in his own server. Typically a Blind SSRF harder to exploit
Detected SSRF?
• Make sure the request is incoming from the target system and
not from your own IP
• Try to Scan the Internal/External Port
• Try reading the files
• Read AWS metadata
Why does an SSRF Occur?
Whenever any parameter makes the request to any third-party URL, it may be vulnerable to SSRF if the proper filtration is not done, A developer must set the whitelist URL, which is a website should strictly access. If the whitelist is not sufficient. the developer can approach the blacklist URL, which can blacklist the malicious URL. The developer should never trust the user input
Impact of SSRF
The actual impact of SSRF may depend on how much information is accessed or read. The Severity of SSRF begins from Low to High.The attacker can scans the ports of the network. If local network is secure, he can scan any other website port, through the victim’s network. it works like proxy. If the file:/// and gopher:/// schema is enabled we can read the internal files as well
An Example of Port Scanning
Here we have provided the 127.0.0.1:22 for reading the local network with 22 port for reading the SSH
Approaching the SSRF
Till now, we know what is SSRF, and its impact. In this section, we will learn how to approach and where to look for it. There will be two methods we will show you in order to define an approach for basic SSRF
Import Function
## Web Hooks
A web hook delivers data to other applications as it happens, meaning you get data immediately. Unlike typical APIs where you would need to poll for data very frequently in order to get it real-time. This makes web hooks much more efficient for both the provider and the consumer. The only drawback to webhooks is the difficulty of initially setting them up.
Note: Not all the outbound connection is SSRF, sometimes your browser makes the request, so make sure to check the IP in your log, from where the request is coming
## Bypassing Basic Filters
Whenever you encounter a parameter that makes the outbound connection, that doesn’t necessarily mean you can easily read the file and escalate (of course you can).There are some filters on the backend which restrict and reject the payload. Those are Blacklist and Whitelist filter. Both filters work differently, and keeping that in mind you have construct your payload.
Note: Not all the outbound connection is SSRF, sometime your browser makes the request, so make sure to check the IP in your log, from where the request is coming
For Bypassing filter, you can visit the
[Click here to know cheat of SSRF filter](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Request%20Forgery)
## Reading the AWS Metadata
After confirming the SSRF. We can move to the next step, where we can pull the data from the AWS instance. We can pull the access key, Secret keys, and other credentials
Here are some of the payload that pulls the data from an AWS instance
http://169.254.169.254/latest/dynamic/instance-identity/document
http://169.254.169.254/latest/meta-data/iam/security-credentials/aws-elasticbeanorastalk-ec2-role
http://169.254.169.254/latest/user-data
http://169.254.169.254/latest/user-data/iam/security-credentials/%5BROLE NAME]
http://169.254.169.254/latest/meta-data/
http://169.254.169.254/latest/meta-data/iam/security-credentials/%5BROLE NAME]
http://169.254.169.254/latest/meta-data/iam/security-credentials/PhotonInstance
http://169.254.169.254/latest/meta-data/ami-id
http://169.254.169.254/latest/meta-data/reservation-id
http://169.254.169.254/latest/meta-data/hostname
http://169.254.169.254/latest/meta-data/public-keys/
http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key
http://169.254.169.254/latest/meta-data/public-keys/%5BID%5D/openssh-key
http://169.254.169.254/latest/meta-data/iam/security-credentials/dummy
http://169.254.169.254/latest/meta-data/iam/security-credentials/s3access
http://169.254.169.254/latest/dynamic/instance-identity/document
## References
https://github.com/jdonsec/AllThingsSSRF
## About Payatu
> [Payatu](https://payatu.com) is a Research Focused, CERT-In impaneled Cybersecurity Consulting company specializing in security assessments of IoT product ecosystem, Web application & Network with a proven track record of securing applications and infrastructure for customers across 20+ countries.
Get in touch with us. Click on the get started button below.
