Skip to content

04 Server Side Request Forgery

Introduction

  • SSRF stands for Server-Side Request Forgery.
  • SSRF allows a malicious user to cause the webserver to make an additional or edited HTTP request to the resource of the attacker's choosing.
  • There are two types of SSRF
  • Regular SSRF
  • Blind SSRF

Impact

  • A successful SSRF attack can result in any of the following:
    • Access to unauthorised areas.
    • Access to customer/organisational data.
    • Ability to Scale to internal networks.
    • Reveal authentication tokens/credentials.

SSRF Example

SSRF by Path Traversal

  • The expected request from website.thm when a user requests stock information is as below. 
    1
    http://website.thm/stock?url=http://api.website.thm/api/stock/item?id=123
  • The attacker changes the request to the one below 
    1
    http://website.thm/stock?url=/../user

SSRF by Changing Subdomain

  • The expected request from website.thm when a user requests stock information is as below. 
    1
    http://website.thm/stock?url=http://api.website.thm/api/stock/item?id=123
  • The attacker changes the request to the one below 
    1
    http://website.thm/stock?url=http://hacker.domain.thm

    1
    http://website.thm/stock?url=hacker.domain.thm/api/stock/item?id=123&x=
  • Use &x= to change the remaining part of the subdomain to a parameter.
  • In this case api.website.thm/api/stock/item?id=123 will become the value of x.

Finding an SSRF

  • Potential SSRFs can be spotted in web applications in one of the below ways.
  • When a full URL is used in a parameter in the address bar: https://website.thm/form?server=http://server.website.thm/store.
  • A hidden field in a form: <input type="hidden" name="server" value="http://server.website.thm/store">.
  • A partial URL such as just the hostname: https://website.thm/form?server=api.
  • The path of the URL: https://website.thm/form?dst=/forms/contact.

Defenses Against SSRF

  • There are usually two approaches to this, either a deny list or an allow list.

Deny List

  • A Deny List is where all requests are accepted apart from resources specified in a list or matching a particular pattern.
  • Usually, domain names such as localhost and 127.0.0.1 would appear on a deny list.
  • Attackers can bypass a Deny List by using alternative localhost references such as0, 0.0.0.0, 0000, 127.1, 127.*.*.*, 2130706433, 017700000001 or subdomains that have a DNS record which resolves to the IP Address 127.0.0.1 such as 127.0.0.1.nip.io.
  • Also, in a cloud environment, it would be beneficial to block access to the IP address 169.254.169.254 which contains metadata for the deployed cloud server, including possibly sensitive information.
  • An attacker can bypass this by registering a subdomain on their own domain with a DNS record that points to the IP Address 169.254.169.254.

Allow List

  • An allow list is where all requests get denied unless they appear on a list or match a particular pattern, such as a rule that an URL used in a parameter must begin with https://website.thm.
  • An attacker could quickly circumvent this rule by creating a subdomain on an attacker's domain name, such as https://website.thm.attackers-domain.thm.

Open Redirect

  • An open redirect is an endpoint on the server where the website visitor gets automatically redirected to another website address.
  • For example: the link https://website.thm/link?url=https://tryhackme.com.
  • An attacker could utilise the above feature to redirect the internal HTTP request to a domain of the attacker's choice.