A Basic Approach To SSRF

What is SSRF?

SSRF (Server Side Request Forgery) is the attack that allows an attacker to send a request on behalf of the server, It is a web to network level attack that compromises the internal machines, basically, a request being getting forged and sending it to the victim’s server. The risk of SSRF may depend on how much information is being accessed, from low to critical

SSRF Types

Typical SSRF

This is the basic SSRF, when an attacker can see the response of their malicious payload getting executed. Here we are able to perform read/write operation In the response

Blind SSRF

In this type, the attacker can’t actually see the payload response, but they can see if the outbound connection has been done or not via providing there server URL. Here an attacker has to log the output in his own server. Typically a Blind SSRF harder to exploit

Detected SSRF?

• Make sure the request is incoming from the target system and
not from your own IP
• Try to Scan the Internal/External Port
• Try reading the files
• Read AWS metadata

Why does an SSRF Occur?

Whenever any parameter makes the request to any third-party URL, it may be vulnerable to SSRF if the proper filtration is not done, A developer must set the whitelist URL, which is a website should strictly access. If the whitelist is not sufficient. the developer can approach the blacklist URL, which can blacklist the malicious URL. The developer should never trust the user input

Impact of SSRF

The actual impact of SSRF may depend on how much information is accessed or read. The Severity of SSRF begins from Low to High.The attacker can scans the ports of the network. If local network is secure, he can scan any other website port, through the victim’s network. it works like proxy. If the file:/// and gopher:/// schema is enabled we can read the internal files as well

An Example of Port Scanning

Here we have provided the 127.0.0.1:22 for reading the local network with 22 port for reading the SSH

![URL](/static/images/remoteblogs/arjuns/arjun_blog/22 port.PNG)
We can see the attacker was able to read the SSH Port number 22

![Output](/static/images/remoteblogs/arjuns/arjun_blog/ssh.PNG)
An Example of File Reading

![URL](/static/images/remoteblogs/arjuns/arjun_blog/URL.PNG)
Output of file reading.. Attacker can read the Internal Files

![Fileread](/static/images/remoteblogs/arjuns/arjun_blog/etc.PNG)

Approaching the SSRF

Till now, we know what is SSRF, and its impact. In this section, we will learn how to approach and where to look for it. There will be two methods we will show you in order to define an approach for basic SSRF

Import Function

![Import](/static/images/remoteblogs/arjuns/arjun_blog/import%20function.PNG)
Some Application integrate-third party services for importing images to their services, for example Google drive, Drop box, One drive. when importing the images from their service to your target, make sure to intercept each and every request. You may encounter a URL or similar parameter which is carring the image URL. Here you can try for SSRF. The Request method could be GET or POST. Here is the example

![Request](/static/images/remoteblogs/arjuns/arjun_blog/ssrf request.PNG)
You can change the URL parameter value and can check for SSRF

## Web Hooks

A web hook delivers data to other applications as it happens, meaning you get data immediately. Unlike typical APIs where you would need to poll for data very frequently in order to get it real-time. This makes web hooks much more efficient for both the provider and the consumer. The only drawback to webhooks is the difficulty of initially setting them up.

Note: Not all the outbound connection is SSRF, sometimes your browser makes the request, so make sure to check the IP in your log, from where the request is coming

## Bypassing Basic Filters

Whenever you encounter a parameter that makes the outbound connection, that doesn’t necessarily mean you can easily read the file and escalate (of course you can).There are some filters on the backend which restrict and reject the payload. Those are Blacklist and Whitelist filter. Both filters work differently, and keeping that in mind you have construct your payload.

Note: Not all the outbound connection is SSRF, sometime your browser makes the request, so make sure to check the IP in your log, from where the request is coming

For Bypassing filter, you can visit the
[Click here to know cheat of SSRF filter](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Request%20Forgery)

## Reading the AWS Metadata

After confirming the SSRF. We can move to the next step, where we can pull the data from the AWS instance. We can pull the access key, Secret keys, and other credentials

Here are some of the payload that pulls the data from an AWS instance

http://169.254.169.254/latest/dynamic/instance-identity/document

http://169.254.169.254/latest/meta-data/iam/security-credentials/aws-elasticbeanorastalk-ec2-role

http://169.254.169.254/latest/user-data

http://169.254.169.254/latest/user-data/iam/security-credentials/%5BROLE NAME]

http://169.254.169.254/latest/meta-data/

http://169.254.169.254/latest/meta-data/iam/security-credentials/%5BROLE NAME]

http://169.254.169.254/latest/meta-data/iam/security-credentials/PhotonInstance

http://169.254.169.254/latest/meta-data/ami-id

http://169.254.169.254/latest/meta-data/reservation-id

http://169.254.169.254/latest/meta-data/hostname

http://169.254.169.254/latest/meta-data/public-keys/

http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key

http://169.254.169.254/latest/meta-data/public-keys/%5BID%5D/openssh-key

http://169.254.169.254/latest/meta-data/iam/security-credentials/dummy

http://169.254.169.254/latest/meta-data/iam/security-credentials/s3access

http://169.254.169.254/latest/dynamic/instance-identity/document

## References

https://github.com/jdonsec/AllThingsSSRF

## About Payatu

> [Payatu](https://payatu.com) is a Research Focused, CERT-In impaneled Cybersecurity Consulting company specializing in security assessments of IoT product ecosystem, Web application & Network with a proven track record of securing applications and infrastructure for customers across 20+ countries.

Get in touch with us. Click on the get started button below.

Subscribe to our Newsletter
Subscription Form
DOWNLOAD THE EBOOK

Fill in your details and get your copy of the ebook in few seconds

Ebook Download
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download ICS Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download Cloud Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download IoT Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download Code Review Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download Red Team Assessment Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download AI/ML Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download DevSecOps Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download Product Security Assessment Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download AI/ML Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download IoT Sample Report

Let’s make cyberspace secure together!

Requirements

Connect Now Form

What our clients are saying!

Trusted by