Bypassing SSRF Protection

There’s always more to do…

Vickie Li
Vickie Li
Jun 8, 2019 · 5 min read
Image for post
Image for post
Error. Requests to this address are not allowed. Please try again.

SSRF Protection Mechanisms

Companies have really caught onto the risk of SSRF attacks. As a result, most have implemented some form of SSRF protection on their web applications. There are two main types of SSRF protection mechanisms out there: blacklists and whitelists.

Bypassing Whitelists

Whitelists are generally harder to bypass because they are by default, stricter than blacklists. But it is possible if there is an open redirect vulnerability within the whitelisted domains.
If you could find an open redirect, you can request a whitelisted URL that redirects to an internal URL.

Image for post
Image for post

Bypassing Blacklists

However, due to application requirements (fetching external resources), most SSRF protection mechanisms come in the form of a blacklist. If you are faced with a blacklist, there are numerous ways of tricking the server:

Fooling it with redirects

Make the server request a URL that you control that redirects to the blacklisted address. For example, you can host a file with the following content on your web server:

<?php header(“location: http://127.0.0.1"); ?>

Tricking it with DNS

Modify the A/AAAA record of a domain you control and make it point to internal addresses of the victim’s network. For example, let’s say http://attacker.com is a subdomain that you own. You can create custom hostname to IP address mapping and make http://subdomain.attacker.com resolve to 127.0.0.1. Now when the target server requests http://attacker.com, it would think that your domain is located at 127.0.0.1 and request data from that address!

Using IPv6 addresses

Try using IPv6 addresses instead of IPv4. The protection mechanisms implemented for IPv4 might not have been implemented for IPv6.

Switching out the encoding

There are many different ways of encoding a URL or an address that doesn’t change how a server interprets its location, but might let it slip under the radar of a blacklist. These include hex encoding, octal encoding, dword encoding, URL encoding, and mixed encoding.

127.0.0.1 translates to 0x7f.0x0.0x0.0x1
127.0.0.1 translates to 0177.0.0.01
127.0.0.1 translates to 0177.0.0.0x1

Conclusion

This is just a small portion of bypasses that an attacker could have in their arsenal, and I’m pretty sure that there are many more creative ways out there to defeat protection and achieve SSRF.

Happy Hacking!

Next time, we’ll talk about some interesting cases of SSRFs found in the wild.


Hi there, thanks for reading. Please help make this a better resource for new hackers: feel free to point out any mistakes or let me know if there is anything I should add!


Disclaimer: Trying this on systems where you don’t have permission to test is illegal. If you’ve found a vulnerability, please disclose it responsibly to the vendor. Help make our Internet a safer place :)

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store