#bugbountytips #learn #learn365 #SSRF
Let's learn SSRF in a Thread 🧵
Here is my notes on SSRF (Just Basics) ->
Let's learn SSRF in a Thread 🧵
Here is my notes on SSRF (Just Basics) ->
SSRF → Server Side Request Forgery Attack
In this attack, vulnerable server accept user’s request without filtering and thus trusting user’s input and give back response to user
In this attack, vulnerable server accept user’s request without filtering and thus trusting user’s input and give back response to user
Attacker forge the request in such a way that server accept it thinking it as legit and give the response what the attacker want
Actually , these days , server is around many technologies like → Internal Network, WAF, Databases etc
Actually , these days , server is around many technologies like → Internal Network, WAF, Databases etc
If target have features to fetch URLs from 3rd party websites and trust it and no filter → Then attacker can use own controllable server as 3rd party to fetch Internal Data from Vulnerable Server
So, we can say that SSRF is a vulnerability where attacker Send Malicious Requests to Internal Server on behalf of a Vulnerable Server without filtering it
Example →
Example →
Suppose target have URL-Fetch Feature for a user as allowing user to fetch whatever page he want as server accepting it and not filtering it
Then user can send internal server requests like →
Then user can send internal server requests like →
localhost, or internal ip like 192.168.0.1 or 10.0.0.1 and can gather internal information
Why this happen ?
Because there is no Access Control on such request + No Filtering and accepting user’s requests as thinking legit
Why this happen ?
Because there is no Access Control on such request + No Filtering and accepting user’s requests as thinking legit
So, because of no Access Control → i.e no Privilege check → Attacker can bypass WAF, and can control Internal Network
So, in SSRF → attacker target Internal Network which is not possible by External Network and thus gather Internal Information from there
So, in SSRF → attacker target Internal Network which is not possible by External Network and thus gather Internal Information from there
Why exactly this happen ? → Because Server is trusting 3rd Party Server
Remember → In SSRF → We can communicate with different services running on different protocols by utilizing URI schemes
Remember → In SSRF → We can communicate with different services running on different protocols by utilizing URI schemes
# Types of SSRF
- Normal SSRF →
- we can see the response of SSRF Request in our browser or interceptor
- We can say Error based SSRF → where we can see our response in error
- Normal SSRF →
- we can see the response of SSRF Request in our browser or interceptor
- We can say Error based SSRF → where we can see our response in error
- Blind SSRF →
- Can’t see the response but still can execute SSRF blindly
- For this we need to setup listener to get the idea of working for blind ssrf
- Can’t see the response but still can execute SSRF blindly
- For this we need to setup listener to get the idea of working for blind ssrf
- First setting listener and then send payloads to vulnerable application including listener address and then check response in our own listener
- Listener can be → **webhook, ngrok, netcat, burp collaborator, vps ip** etc
- Listener can be → **webhook, ngrok, netcat, burp collaborator, vps ip** etc
- Time Based SSRF →
- We can determine SSRF according to response time for requests going to existing or not existing internal resources.
- We can determine SSRF according to response time for requests going to existing or not existing internal resources.
# Protocols used while testing SSRF →
- ftp://
- dict://
- gopher://
- file://
- ldap://
- ssh://
- smb://
- http://
- https://
- ftp://
- dict://
- gopher://
- file://
- ldap://
- ssh://
- smb://
- http://
- https://
# What features to test for SSRF →
- Webhooks Functionality
- File Uploading Functionality
- Fetching URL Online Functionality
- Document & Image Processing Functionality
- PDF & Document Parsing Functionality
- Proxy Services
- Host Header
- etc etc
- Webhooks Functionality
- File Uploading Functionality
- Fetching URL Online Functionality
- Document & Image Processing Functionality
- PDF & Document Parsing Functionality
- Proxy Services
- Host Header
- etc etc
# In starting what use to test for SSRF ?
- Test following IP Addresses [mostly but there are more] →
- 127.0.0.0/8
- 192.168.0.0/16
- 10.0.0.0/8
Resources →
en.wikipedia.org/wiki/Reserved_…
- Test following IP Addresses [mostly but there are more] →
- 127.0.0.0/8
- 192.168.0.0/16
- 10.0.0.0/8
Resources →
en.wikipedia.org/wiki/Reserved_…
- Check for common ports like → 80,111,8080 etc
- But also try for non-exist port to see server response
- We need to understand Server Behaviour while using this → Like
- Check response while using ports and non-exist ports → and even open and closed ports
- But also try for non-exist port to see server response
- We need to understand Server Behaviour while using this → Like
- Check response while using ports and non-exist ports → and even open and closed ports
- Response like → HTML Content, Server Banner
- Check Response time → like if port close or not check based on what response time there from server to requests
- Check Response time → like if port close or not check based on what response time there from server to requests
Resources ->
gist.github.com/BuffaloWill/fa…
medium.com/swlh/intro-to-…
medium.com/@vickieli/expl…
Thanks
gist.github.com/BuffaloWill/fa…
medium.com/swlh/intro-to-…
medium.com/@vickieli/expl…
Thanks
# What can do using SSRF →
- Scan the network for hosts,
- Port scan internal machines and fingerprint internal services,
- collect instance metadata,
- bypass access controls,
- leak confidential data,
- and even execute code on reachable machines.
- Scan the network for hosts,
- Port scan internal machines and fingerprint internal services,
- collect instance metadata,
- bypass access controls,
- leak confidential data,
- and even execute code on reachable machines.
Internal Services like ->
- Internal Services like →
- Elastic Cache
- File Servers
- Databases
- Network Infrastruction Switches, Routers, Firewalls etc
- Directory Traversal
- Send an email using [localhost](http://localhost) SMTP
- Internal Services like →
- Elastic Cache
- File Servers
- Databases
- Network Infrastruction Switches, Routers, Firewalls etc
- Directory Traversal
- Send an email using [localhost](http://localhost) SMTP
• • •
Missing some Tweet in this thread? You can try to
force a refresh
