Server-side request forgery (SSRF)
In computer security, server-side request forgery (SSRF) is a type of exploit where an attacker abuses the functionality of a server causing it to access or manipulate information in the realm of that server that would otherwise not be directly accessible to the attacker.
-- Wikipedia
SSRF attacks against the server itself
When a web app passes a url (e.g. to a product) in a request, you may be able to arbitrarily change that url, and therefore make the server request that resource. As the request is issed by the server itself, you may be able to access resources that are unreachable from outside.
Bypass filter
Blocklists
Using alternate ip representation of 127.0.0.1, like 2130706433 (decimal) or 017700000001 (octal).
Registering own domain that resolves to 127.0.0.1
Using (double) URL encoding or case variations.
Allowlists
Using embedded credentials:
https://expected-host@evil-host
Using fragments:
https://evil-host#expected-host
Leverage DNS naming hierarchy, using a domain that you control:
https://expected-host.evil-host
Combinations of all those techniques
Via open redirect vulnerability
If you find an open redirect vulnerability, you may be able to bypass filters using that.
Blind SSRF
Blind SSRF can be detected most reliable using out-of-band (OAST) techniques, e.g. using Burp Collaborator.
E.g. passing a url via Referer
header, that is then being requested by the server.
Last updated