d4Rk's 1337 h4x0r guide
  • Introduction
  • Reconnaissance
    • Recon
    • OSINT
  • Enumeration
    • Network discovery
    • Port scanning
    • Webserver scanning
    • Exploit detection
    • Fuzzing
    • Process monitoring
  • Exploitation
    • Shells
      • Shells
      • TTY
    • Passwords
      • Hashcat
      • John the Ripper (JTR)
      • Hydra
      • Passwords & credentials
    • Web
      • SQL injection (SQLi)
      • Cross site scripting (XSS)
      • File inclusions (LFI, RFI)
      • Directory traversal
      • Cross site request forgery (CSRF)
      • XML external entity (XXE)
      • Cross origin resource sharing (CORS)
      • Server-side request forgery (SSRF)
      • Server-side template injection (SSTI)
      • Access control vulnerabilities
      • Authentication vulnerabilities
      • JWT attacks
      • File uploads
      • Host header attacks
      • Clickjacking
      • Logic flaws
      • OS command injection
      • HTTP Request smuggling
      • Insecure deserialization
      • DOM-based
      • WebSockets
      • Web cache poisoning
    • Buffer overflow
      • General
      • Linux
      • Windows
    • Misc
      • Evasion
      • SQSH
  • Privilege escalation
    • Linux
      • Overview
    • Windows
      • Overview
      • Mimikatz
      • PowerSploit
      • Juicy Potato, Rotten Potato (NG)
      • JAWS
      • Empire
      • SILENTTRINITY
  • Post exploitation
    • Loot
    • Pivoting
    • Standalone Tools
  • Services
    • TCP
      • TCP 21: FTP
      • TCP 22: SSH
      • TCP 23: Telnet
      • TCP 25, 587: SMTP
      • TCP 53: DNS
      • TCP 80, 443: HTTP(S)
      • TCP 88: Kerberos
      • TCP 110, 995: POP3(S)
      • TCP 111: rpcbind
      • TCP 135: MSRPC
      • TCP 139, 445: NetBIOS, SMB
      • TCP 143, 993: IMAP(S)
      • TCP 389, 636, 3268, 3269: LDAP
      • TCP 1433, UDP 1434: MSSQL Server
      • TCP 2049: NFS
      • TCP 3306: MySQL
      • TCP 3389: RDP
      • TCP 5985: WinRM
      • TCP 6379: Redis
      • TCP 27017: MongoDB
    • UDP
      • UDP 137, 138, TCP 139: NetBIOS
      • UDP 161: SNMP
    • Misc
      • Active Directoy
      • Apache Tomcat
      • Drupal
      • H2 Databases
      • IIS
      • IPsec
      • IRC
      • Java Applets
      • Java RMI
      • Jenkins
      • Joomla
      • Oracle
      • PHP
      • SharePoint
      • WordPress
  • File transfer
    • Overview
    • Wget
    • Pure-FTPd
    • TFTP
    • VBScript: Wget clone
  • Misc
    • Bash
    • Burp Suite
    • Crypto
    • Ebowla
    • Firefox extensions
    • Impacket
    • Memory forensics
    • Metasploit Framework (MSF)
    • MITM
    • Msfvenom
    • Pass the Hash (PTH)
    • PowerShell
    • PowerShell on Linux
    • Wireshark
    • Wordlists and dictionaries
  • Bug Bounty
    • Platforms
    • Tools
Powered by GitBook
On this page
  • SSRF attacks against the server itself
  • Bypass filter
  • Blocklists
  • Allowlists
  • Via open redirect vulnerability
  • Blind SSRF
Edit on GitHub
  1. Exploitation
  2. Web

Server-side request forgery (SSRF)

PreviousCross origin resource sharing (CORS)NextServer-side template injection (SSTI)

Last updated 2 years ago

In computer security, server-side request forgery (SSRF) is a type of exploit where an attacker abuses the functionality of a server causing it to access or manipulate information in the realm of that server that would otherwise not be directly accessible to the attacker.

--

SSRF attacks against the server itself

When a web app passes a url (e.g. to a product) in a request, you may be able to arbitrarily change that url, and therefore make the server request that resource. As the request is issed by the server itself, you may be able to access resources that are unreachable from outside.

POST /some/url HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 35

someParam=http://192.168.0.42/admin

Bypass filter

Blocklists

  • Using alternate ip representation of 127.0.0.1, like 2130706433 (decimal) or 017700000001 (octal).

  • Registering own domain that resolves to 127.0.0.1

  • Using (double) URL encoding or case variations.

Allowlists

  • Using embedded credentials: https://expected-host@evil-host

  • Using fragments: https://evil-host#expected-host

  • Leverage DNS naming hierarchy, using a domain that you control: https://expected-host.evil-host

  • Combinations of all those techniques

Via open redirect vulnerability

If you find an open redirect vulnerability, you may be able to bypass filters using that.

POST /some/url HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 1337

someParam=/some/url?path=http://192.168.0.42/admin

Blind SSRF

Blind SSRF can be detected most reliable using out-of-band (OAST) techniques, e.g. using Burp Collaborator.

E.g. passing a url via Referer header, that is then being requested by the server.

Wikipedia
PortSwigger - Web Security Academy - Server-side request forgery (SSRF)