SSRF: What every beginner pentester should know

Photo by @NEOSiAM 2021

Learn about Server-Side Request Forgery (SSRF) and how to protect your web applications. Our beginner-friendly guide covers the basics of SSRF, including what it is, how it works, and the types of vulnerabilities that can lead to SSRF attacks. Get tips and best practices for identifying SSRF vulnerabilities and mitigating the risks.

What is SSRF?

Server-Side Request Forgery (SSRF) is a type of web application vulnerability that allows an attacker to send malicious requests from a vulnerable server to internal network resources or external resources.

SSRF Simple Example

These requests are made on behalf of the vulnerable server, which can enable the attacker to bypass security controls, access sensitive data, and perform other malicious actions.

SSRF is considered a significant threat because it can be used to exploit a wide range of vulnerabilities in web applications, including those that are not directly related to the application itself. For example, SSRF can be used to gain unauthorized access to internal network resources, such as databases, internal web services, and other sensitive systems. It can also be used to perform reconnaissance on internal network infrastructure and discover potential attack vectors.

Another significance is that SSRF vulnerabilities are often found in web applications that are used to process user-supplied data, such as file uploads, web scraping, and other types of data processing. This makes SSRF a serious threat to web applications that handle sensitive data, such as financial data, personal information, and other types of confidential data.

SSRF vulnerabilities can also be used in combination with other types of attacks to increase the impact of the attack. For example, SSRF vulnerabilities can be used to perform distributed denial-of-service (DDoS) attacks, data exfiltration, and other types of attacks that can cause significant damage to a web application, its underlying systems, and its users.

Overall, SSRF is a serious threat to web application security and should be taken into consideration when designing and securing web applications.

What Are Some Common SSRF Attack Scenarios?

1. File reading: An attacker can use SSRF to access files on the server that the web application has permissions to read, this could lead to sensitive data exfiltration.
2. Port scanning: An attacker can use SSRF to scan internal network ports to identify open ports and services, this information could be used to launch further attacks.
3. Internal network reconnaissance: An attacker can use SSRF to gather information about internal network infrastructure, such as IP addresses, hostnames, and other details that could be used to identify potential attack vectors.
4. Outbound connections: An attacker can use SSRF to initiate outbound connections to external resources, such as external web services, cloud resources, and other systems. This could be used to perform reconnaissance, data exfiltration, or other malicious actions.
5. DDoS: An attacker can use SSRF to perform distributed denial-of-service (DDoS) attacks by sending a large number of requests to a targeted resource, this could cause the targeted resource to become unavailable.
6. Bypassing security controls: An attacker can use SSRF to bypass security controls, such as firewalls, intrusion detection systems, and other security measures that are designed to protect internal network resources.

While these might not be all the possible scenarios, it is important to keep up to date with new exploit SSRF vulnerabilities.

Main Components of SSRF

1. The vulnerable server: This is the web application or server that is vulnerable to SSRF attacks. The vulnerable server can be a web application, web service, or other type of server that is used to process user-supplied data.
2. The attacker: This is the person or entity that is attempting to exploit the SSRF vulnerability. The attacker may be an individual, a group, or an automated script.
3. The target resource: This is the internal network resource or external resource that the attacker is trying to access. The target resource can be a file, a web service, a database, or any other type of resource that is accessible from the vulnerable server.
4. The malicious request: This is the request that the attacker is sending from the vulnerable server to the target resource. The malicious request can be an HTTP request, an SMTP request, or any other type of request that the vulnerable server can send.
5. The response: This is the response that the target resource sends back to the vulnerable server in response to the malicious request. The response can contain sensitive information, such as credit card numbers, personal information, or other types of sensitive data.

How does SSRF Work?

As we mentioned before, SSRF is all about an attacker using a server that has not been properly configured and exploiting that to obtain something in return.

Let’s break down into steps to achieve SSRF:

1. The attacker identifies a vulnerable server: The attacker identifies a web application or server that is vulnerable to SSRF attacks. This can be done by manual testing, automated scanning, or other methods.
2. The attacker crafts a malicious request: The attacker crafts a malicious request that will be sent from the vulnerable server to the target resource. The request can include a URL or IP address, a file path, or other information that will be used to access the target resource.
3. The attacker sends the malicious request: The attacker sends the malicious request from the vulnerable server to the target resource. The request can be sent using an HTTP request, an SMTP request, or any other type of request that the vulnerable server can send.
4. The target resource responds: The target resource receives the malicious request and sends a response back to the vulnerable server. The response can contain sensitive information, such as credit card numbers, personal information, or other types of sensitive data.
5. The attacker retrieves the response: The attacker retrieves the response from the target resource and can use the information to launch further attacks, exfiltrate sensitive data, or perform other malicious actions.

Exploring A Simple But Vulnerable Web App

<?php

$url = $_GET['url']; // Get URL from user input
$response = file_get_contents($url); // Send request to URL
echo $response; // Display response

?>

This code takes a URL from the user input, and uses the file_get_contents function to send a request to the specified URL. The response is then displayed to the user.

The vulnerability in this code is that it does not properly validate or sanitize the user input, which allows an attacker to submit a malicious URL that points to an internal network resource or an external resource. This can enable the attacker to access sensitive data, perform reconnaissance, or perform other malicious actions.

The exploit request would look something like this:

http://example.com/ssrf.php?url=http://internal-ip:8080/sensitive-data

The attacker can craft a malicious link (such as the one above) that point to an internal network resource, such as a database server or a file server, and trick the victim into visiting the link. Once the victim visits the link, the attacker can access sensitive data stored on the internal network resource, such as credit card numbers, personal information, or other types of sensitive data.

An attacker could also use this vulnerability to gain access to other internal network resources by crafting a malicious URL that points to an internal IP address or hostname. Additionally, the attacker could use this vulnerability to perform port scanning, internal network reconnaissance, and other types of malicious activities.

It’s important to note that this is a simple example and the vulnerability can be found in different variations and in different languages, it’s also important to note that this specific example may not be exploitable in a real-world scenario because it depends on other factors such as the web server configuration and the application architecture.

To mitigate this vulnerability, it’s important to validate and sanitize user input.

Mitigating SSRF Risks

While this post is dedicated towards pentest beginners, understanding mitigations will help you avoid rabbit holes (getting stuck in one point thinking something works, when it doesnt).

There are several common techniques and solutions that can be used to mitigate Server-Side Request Forgery (SSRF) vulnerabilities:

1. Input validation: One of the most important steps in mitigating SSRF vulnerabilities is to validate and sanitize user input. This includes checking that the input is in the correct format and that it does not contain any malicious characters or unexpected data.
2. Whitelisting: Another effective technique is to use whitelisting to only allow requests to specific, known, and trusted external domains. This can help to prevent requests from being sent to malicious or unexpected resources.
3. Network segmentation: By separating the internal network into different segments, it can help to limit the scope of an SSRF attack and reduce the risk of sensitive data being accessed.
4. Firewall: A firewall can be used to block or restrict access to internal network resources from external sources. This can help to prevent SSRF attacks from being successful.
5. Security testing: Regularly testing web applications and servers for SSRF vulnerabilities can help to identify and fix vulnerabilities before they can be exploited. This can include penetration testing, vulnerability scanning, and other types of security testing.
6. Stay updated: Keeping up to date with the latest SSRF attack techniques, vulnerabilities, and best practices for mitigating SSRF risks is important to protect your application and your network.

Some of these can be bypassed when improperly done, however, having a combination of these will help you avoid SSRF.

Conclusion

In conclusion, Server-Side Request Forgery (SSRF) is a serious threat to web application security that can be used to exploit a wide range of vulnerabilities.

As a penetration tester, it’s important to be familiar with SSRF attacks and how to identify and exploit SSRF vulnerabilities. By understanding the basics of SSRF, the types of vulnerabilities that can lead to SSRF attacks, and the potential impact of an SSRF attack, you can better identify and exploit SSRF vulnerabilities in web applications.

Additionally, by familiarizing yourself with the common mitigation techniques and solutions, you can help your clients to better protect their web applications from SSRF attacks.

Remember that SSRF attacks are constantly evolving and it’s important to keep up to date with the latest attack techniques and best practices for mitigating SSRF risks.

Learn more about SSRF:

What is SSRF (Server-side request forgery)? Tutorial & Examples | Web Security Academy

SSRF (Server Side Request Forgery)

Liked it?

Follow for more!