Edit

Module 14: Server-side Request Forgery

Introduction to SSRF

Interacting with the Vulnerable Server

Example: Using a SSRF we could interact with the loopback interface of a vulnerable server which would ordinarily not be accessible otherwise.

Interacting with Back-end Systems and Private IP Ranges

Private IP Addresses

IP address range

Number of addresses

10.0.0.0/8

16,777,216

172.16.0.0/12

1,048,576

192.168.0.0/16

65,536

Using a SSRF we could also potentially interact with other systems on the internal network.

Testing for SSRF

Accessing the SSRF Sandbox Application

Start the VPN, VM, and add the IPs and hostnames to your hosts file.

Discovering SSRF Vulnerabilities

If we discover upload functionality via URL, URI, or link, we should test for SSRF.

SSRF Sandbox
SSRF Sandbox previewing http://www.megacorpone.com

Note that requests to other domains will most likely fail since the VMs in the lab environment do not have full access to the Internet.

SSRF Sandbox - Verify Link
Verifying http://www.megacorpone.com

Calling Home to Kali

Restarting the Apache HTTP Server

When we are performing this kind of testing in the real world, we should include a unique identifier in the URL. This would help us locate the attack in our log file.

Verifying the application requested a page from our Kali VM

Exploiting SSRF

Retrieving Data

Attempting to access the Status page
Using the SSRF vulnerability to access the Status page

Instance Metadate in Cloud

Some cloud hosting providers, such as AWS, use the link-local address 169.254.169.254 for their metadata services. Others provide access through DNS, such as Google Cloud, which uses metadata.google.internal. These may include sensitive/private information.

Bypassing Authentication in Microservices

Any security controls enforced by an API gateway on traffic entering the internal network would not apply to the traffic between two microservices since the traffic originates within the internal network

Alternative URL Schemes

An example file URI in Firefox

Checking the contents of the kali default homepage

An exception occurred
Accessing the contents of /etc/passwd using curl

Starting a netcat listener on port 9000

Using curl to send a request with the Gopher protocol

Netcat listener handling the Gopher request

Example HTTP GET request

Sending a mock HTTP request over the Gopher protocol

Netcast listener handlin gour mock HTTP request

Accessing /status using the gopher protocol
Sending a POST request with gopher to /status
Double URL-encoding in HTTP Request body

Extra Mile

Use the Gopher protocol to send a POST request with the username "white.rabbit" and password "dontbelate" to the login endpoint to obtain a flag.

Case Study: Group Office

Accessing Group Office

Start the VPN, the VM, and add the IP and hostname to your hosts file.

Discovering the SSRF Vulnerabilities

Group Office login page
Group Office Start Page
The list of portlets we can add to the Start Page
The updated Start page including the News portlet
Group Office RSS Feeds window

Restarting apache2

Adding our IP address as an RSS feed

Checking our access.log file with tail

HTTP history for addin RSS feeds
Proxy request in Burp Suite Repeater
The response content is a 404 page including our IP address

Access log contents include a request to /repeater

My Account link
Updating a user's profile picture
Insert from URL dialog window
Submitting our IP address in the URL field

Access log contents include a request to /fromurl

Burp Suite HTTP history with request to /api/upload.php
The bloblId is used in following request

Creating itworked.html and moving it to our webroot

Updating the URL parameter
The server responds with an error

Exploiting the SSRF Vulnerabilities

The server returned an empty response to our attack
Group Office Address book page
Downloading a blob
Retrieving our HTML page
Sending the SSRF attack to access /etc/passwd
Retrieving the contents of /etc/passwd
PreviousModule 13: Command InjectionNextModule 15: Insecure Direct Object Referencing

Last updated