Home  ›  All Blogs  ›  arjuns  › 

A Basic Approach To SSRF

    arjuns
    11-March-2021

Server Side Request Forgery

Overview

What is SSRF?

SSRF (Server Side Request Forgery) is the attack that allows an attacker to send a request on behalf of the server, It is a web to network level attack that compromises the internal machines, basically, a request being getting forged and sending it to the victim’s server. The risk of SSRF may depend on how much information is being accessed, from low to critical

SSRF Types

Typical SSRF

This is the basic SSRF, when an attacker can see the response of their malicious payload getting executed. Here we are able to perform read/write operation In the response

Blind SSRF

In this type, the attacker can’t actually see the payload response, but they can see if the outbound connection has been done or not via providing there server URL. Here an attacker has to log the output in his own server. Typically a Blind SSRF harder to exploit

Detected SSRF?

• Make sure the request is incoming from the target system and
not from your own IP

• Try to Scan the Internal/External Port

• Try reading the files

• Read AWS metadata

Why does an SSRF Occur?

Whenever any parameter makes the request to any third-party URL, it may be vulnerable to SSRF if the proper filtration is not done, A developer must set the whitelist URL, which is a website should strictly access. If the whitelist is not sufficient. the developer can approach the blacklist URL, which can blacklist the malicious URL. The developer should never trust the user input

Impact of SSRF

The actual impact of SSRF may depend on how much information is accessed or read. The Severity of SSRF begins from Low to High.The attacker can scans the ports of the network. If local network is secure, he can scan any other website port, through the victim’s network. it works like proxy. If the file:/// and gopher:/// schema is enabled we can read the internal files as well

An Example of Port Scanning

Here we have provided the 127.0.0.1:22 for reading the local network with 22 port for reading the SSH

URL

We can see the attacker was able to read the SSH Port number 22

Output

An Example of File Reading

URL

Output of file reading.. Attacker can read the Internal Files

Fileread

Approaching the SSRF

Till now, we know what is SSRF, and its impact. In this section, we will learn how to approach and where to look for it. There will be two methods we will show you in order to define an approach for basic SSRF

Import Function

Import

Some Application integrate-third party services for importing images to their services, for example Google drive, Drop box, One drive. when importing the images from their service to your target, make sure to intercept each and every request. You may encounter a URL or similar parameter which is carring the image URL. Here you can try for SSRF. The Request method could be GET or POST. Here is the example

Request

You can change the URL parameter value and can check for SSRF

Web Hooks

A web hook delivers data to other applications as it happens, meaning you get data immediately. Unlike typical APIs where you would need to poll for data very frequently in order to get it real-time. This makes web hooks much more efficient for both the provider and the consumer. The only drawback to webhooks is the difficulty of initially setting them up.

Note: Not all the outbound connection is SSRF, sometimes your browser makes the request, so make sure to check the IP in your log, from where the request is coming

Bypassing Basic Filters

Whenever you encounter a parameter that makes the outbound connection, that doesn’t necessarily mean you can easily read the file and escalate (of course you can).There are some filters on the backend which restrict and reject the payload. Those are Blacklist and Whitelist filter. Both filters work differently, and keeping that in mind you have construct your payload.

Note: Not all the outbound connection is SSRF, sometime your browser makes the request, so make sure to check the IP in your log, from where the request is coming

For Bypassing filter, you can visit the
Click here to know cheat of SSRF filter

Reading the AWS Metadata

After confirming the SSRF. We can move to the next step, where we can pull the data from the AWS instance. We can pull the access key, Secret keys, and other credentials

Here are some of the payload that pulls the data from an AWS instance

http://169.254.169.254/latest/dynamic/instance-identity/document

http://169.254.169.254/latest/meta-data/iam/security-credentials/aws-elasticbeanorastalk-ec2-role

http://169.254.169.254/latest/user-data

http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLE NAME]

http://169.254.169.254/latest/meta-data/

http://169.254.169.254/latest/meta-data/iam/security-credentials/[ROLE NAME]

http://169.254.169.254/latest/meta-data/iam/security-credentials/PhotonInstance

http://169.254.169.254/latest/meta-data/ami-id

http://169.254.169.254/latest/meta-data/reservation-id

http://169.254.169.254/latest/meta-data/hostname

http://169.254.169.254/latest/meta-data/public-keys/

http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key

http://169.254.169.254/latest/meta-data/public-keys/[ID]/openssh-key

http://169.254.169.254/latest/meta-data/iam/security-credentials/dummy

http://169.254.169.254/latest/meta-data/iam/security-credentials/s3access

http://169.254.169.254/latest/dynamic/instance-identity/document

References

https://github.com/jdonsec/AllThingsSSRF

About Payatu

Payatu is a Research Focused, CERT-In impaneled Cybersecurity Consulting company specializing in security assessments of IoT product ecosystem, Web application & Network with a proven track record of securing applications and infrastructure for customers across 20+ countries.

Get in touch with us. Click on the get started button below.

Get to know more about our process, methodology & team!

Close the overlay

I am looking for
Please click one!