Dark Side 108: Intro to SSRF — Server-Side Request Forgery
We’re on Day 19 of TryHackMe’s Cyber Advent 2 event!
Today’s challenge demonstrated a Server-Side Request Forgery attack. As it sounds, this attack tricks a website into letting a user into the backend server supporting a public facing web application. These vulnerabilities usually exist as a result of improper error handling, meaning a malicious user sends a request to access resources that aren’t publicly available, and the website serves up that data not knowing it shouldn’t.
Let’s dive into this challenge to better understand how this works.
Here’s the scenario:
Santa has released a web app that lets the children of the world check whether they are currently on the naughty or nice list. Unfortunately, the elf who coded it exposed more things than she thought. Can you access the list administration and ensure that every child gets a present from Santa this year?
After deploying the web server, I began by browsing to the IP in a web browser and sure enough, our Naughty and Nice List loaded. To test it out, I typed in a random name and hit “Search”.
The name I searched, Sarah, was on the Nice list. In order to begin planning our SSRF attack, I had to review the URL of the search…