Sitemap
Open in app

Sign in

Medium Logo
Write

Sign in

Server-side request forgery (SSRF) Writeup

Muzamal Ashraf
5 min readJun 2, 2024

--

Lab Link → Click-Here

In this section, we explain what server-side request forgery (SSRF) is and describe some common examples. We also demonstrate how to identify and exploit SSRF vulnerabilities.

What is SSRF?

Server-side request forgery is a web security vulnerability that allows an attacker to cause the server-side application to make requests to an unintended location. In a typical SSRF attack, the attacker might cause the server to make a connection to internal-only services within the organization’s infrastructure. In other cases, they may be able to force the server to connect to arbitrary external systems. This could leak sensitive data, such as authorization credentials.

The Impact of SSRF Attacks

A successful Server-Side Request Forgery (SSRF) attack can often result in unauthorized actions or access to data within the organization. This can occur in the vulnerable application itself or extend to other back-end systems that the application can communicate with. In some situations, the SSRF vulnerability might allow an attacker to execute arbitrary commands. An SSRF exploit that causes connections to external third-party systems might lead to malicious onward attacks, making them appear to originate from the organization hosting the vulnerable application.

Common SSRF Attacks

SSRF attacks often exploit trust relationships to escalate an attack from the vulnerable application and perform unauthorized actions. These trust relationships might exist with the server or other back-end systems within the same organization.

Let’s start labs:

Lab 1: Basic SSRF against the local server

This lab has a stock check feature that fetches data from an internal system. To solve the lab, change the stock check URL to access the admin interface at http://localhost/admin and delete the user carlos.

we will use Burp Suite to solve this lab. First of all, click on check stock and catch the request. Now we will send this request to the repeater.

In the repeater, we will add the given path at the end of stockApi. As shown in Fig.

After sending the request we can see our admin panel. here we can delete Carlos user easily.

After that, we will go to inspect and find the delete path. As shown in Fig.

Now send the request to the repeater we can see the response 302 found. Here we go our lab solved.

Lab 2: Basic SSRF against another back-end system

This lab has a stock check feature that fetches data from an internal system. To solve the lab, use the stock check functionality to scan the internal 192.168.0.X range for an admin interface on port 8080, then use it to delete the user carlos.

Same process as we did in the previous lab. Click on check stock and catch the POST request through the repeater.

In this lab, we will be scanning the internal 192.168.0.X range for an admin interface on port 8080 and delete the user carlos, follow these steps:

  1. Open Burp Suite and navigate to the stock check functionality:
  2. Set up the scan in Burp Intruder:
  • Click “Clear §” to clear any existing payload markers.
  • Change the stockApi parameter to http://192.168.0.1:8080/admin.
  • Highlight the final octet of the IP address (the number 1), and click "Add §" to add a payload marker.
  1. Configure the payload:
  • Switch to the “Payloads” tab.
  • Change the payload type to “Numbers.”
  • Enter 1 in the "From" box.
  • Enter 255 in the "To" box.
  • Enter 1 in the "Step" box.
  1. Start the attack:
  • Click “Start attack” to initiate the scan.
  1. Identify the admin interface:
  • Once the attack is complete, click on the Status column to sort by status code in ascending order.
  • Look for a single entry with a status of 200, indicating the presence of an admin interface.
  1. Send the request to Burp Repeater:
  • Click on the request with the status 200.
  • Send this request to Burp Repeater for further modification.
  1. Delete the user carlos:
  • In Burp Repeater, change the path in the stockApi parameter to /admin/delete?username=carlos.
  1. Example modified request:
GET /stockCheck?productId=1&stockApi=http://192.168.0.X:8080/admin/delete?username=carlos HTTP/1.1 Host: example.com
  1. Send the modified request:
  • Send the request in Burp Repeater to delete the user carlos.

That’s it our lab solved.

Lab 3: SSRF with blacklist-based input filter

This lab has a stock check feature that fetches data from an internal system. To solve the lab, change the stock check URL to access the admin interface at http://localhost/admin and delete the user carlos. The developer has deployed two weak anti-SSRF defenses that you will need to bypass.

we will bypass the local server and admin.

To bypass restrictions and gain access, we will double encode the ‘a’ in ‘admin’.

From this:

stockApi=http://127.1/admin

To this:

stockApi=http://127.1/%25%36%31dmin

After sending the request we can delete carlos easily we can see this in the below image.

Our lab solved it.

Server Side Request
Server Side Rendering
Penetration Testing
Cybersecurity

--

--

Muzamal Ashraf
Muzamal Ashraf

Written by Muzamal Ashraf

9 followers
6 following

Cybersecurity enthusiast with a focus on penetration testing. Passionate about simplifying infosec concepts and exploring vulnerability assessments.

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Rules

Terms

Text to speech