SSRF
Introduction to Server-Side Request Forgery (SSRF)
Server-Side Request Forgery (SSRF) is a vulnerability that occurs when an application retrieves remote resources without validating user input. This flaw allows an attacker to control the resources requested by the server, often through a user-supplied URL. With control over these requests, attackers can gain access to sensitive data or potentially compromise a vulnerable host. SSRF is listed as #10 on the 2021 OWASP Top 10 and is a rising threat, especially to APIs.
SSRF Impact
The impact of SSRF can be significant:
Data Exposure: An attacker may retrieve private data from internal services.
Network Scanning: SSRF can enable attackers to scan the target’s internal network.
Remote Code Execution: In some cases, SSRF can lead to remote code execution.
Types of SSRF
In-Band SSRF: The server responds with information from the specified URL, which can reveal data to the attacker directly.
Blind SSRF: The server makes the request but does not send the response back to the attacker. The attacker can verify the request by monitoring a server they control.
Example of In-Band SSRF
Intercepted Request:
Attack:
Response:
Example of Blind SSRF
For Blind SSRF, you can use a service like webhook.site to confirm the server’s request:
Attack:
Check webhook.site for request logs instead of relying on the application response.
Ingredients for SSRF
When hunting for SSRF vulnerabilities in an API, look for:
Full URLs or URL paths in POST bodies or parameters.
Headers that may contain URLs (e.g., Referer).
Any form of user input that the server might process as a URL.
Testing SSRF in crAPI
Identify requests involving URLs, such as:
POST /community/api/v2/community/posts
POST /workshop/api/shop/orders/return_order?order_id=4000
POST /workshop/api/merchant/contact_mechanic
Testing for SSRF
Either using Postman or the web browser, proxy the requests that you are targeting to Burp Suite.
Use Burp Intruder with Pitchfork Attack Mode: The Pitchfork mode in Burp Intruder pairs separate payloads, which is ideal here as it allows you to pair each valid
order_id
with different SSRF payloads (target URLs).
Let's try this out on the contact_mechanic request. Set the attack position, copy and paste the payloads you previously used for URLs, and send the attack. Review the results and see if there is anything interesting.
We can also verify that a request was made from the server by visiting our webhook.site page.
Last updated