The Pentesting Guide
TwitterBlog
  • The Pentesting Guide
  • ℹ️0 - Pre-Engagement
  • 🔍1 - Information Gathering
  • Passive (OSINT)
  • Active
    • 🕵️HUMINT
    • WIFI
    • IP & Port Scanning
    • Services
      • 21 - FTP
      • 22 - SSH
      • 25 - SMTP
      • 53 - DNS
      • 80,443 - WEB
      • 88 - Kerberos
      • 110 - POP3
      • 111 - rpcbind
      • 161 - SNMP
      • 389 - LDAP
      • 139,445 - SMB
      • Active Directory
  • 💣2 - Exploitation
  • Brute Forcing
  • WEB
    • Apache Tomcat
    • Authentication
    • Broken Access Control
    • Cache poisoning
    • Clickjacking
    • CORS
    • CSRF
    • File Inclusion
    • Host Header Injection
    • HTTP Request Smuggling
    • Information disclosure
    • JWT
    • OS command injection
    • PHP deserialisation
    • SQLi
    • SSRF
    • SSTI
    • Shellshock
    • Unrestricted File Upload
    • XSS
    • XXE
  • Web (OWASP Test cases)
    • 4.1 Information Gathering
    • 4.2 Configuration and Deployment Management Testing
    • 4.3 Identity Management Testing
    • 4.4 Authentication Testing
    • 4.5 Authorization Testing
    • 4.6 Session Management Testing
    • 4.7 Input Validation Testing
    • 4.8 Testing for Error Handling
    • 4.9 Testing for Weak Cryptography
    • 4.10 Business Logic Testing
    • 4.11 Client-side Testing
    • 4.12 API Testing
  • WIFI
  • HUMINT
    • 🎣Gophish (Phishing)
    • Malicious Phishing Files
    • Phishing Evaluation
  • BoF - Windows(x86)
  • Active Directory
    • Kerberos
    • GPOs
    • Certificates
    • LAPS
    • Domain Trusts
  • 👿3 - Post Exploitation
  • File transfer
  • Shells
  • Situational Awareness
    • Containers and VMs
    • Linux
    • Windows
      • Dumping Credentials
      • Countermeasure Evasion
    • Active Directory
      • BloodHound & SharpHound
  • General
    • Linux
    • Windows
  • Local Privilege Escalation
    • Linux
    • Windows
  • Persistance
    • Windows
  • Cracking
  • Pivoting
    • Tunnelling & Port Forwarding
  • Lateral Movement
  • WIFI
  • 📓4 - Report
  • 🧹5 - House cleaning
Powered by GitBook
On this page
  • Introduction
  • Filter bypass
  • Black List bypass
  • White List bypass
  • References
  1. WEB

SSRF

Introduction

Server-Side Request Forgery (SSRF), is a vulnerability that allows an attacker to induce the server-side of the application to make requests to arbitrary locations, leading to unauthorized access to internal services or files within the application or even external functions of other services.

Examples of this vulnerability are:

  • /media.php?query=../../v1/settings

  • ?link=http://example.com/

  • stockApi=http://localhost/admin

However, this vulnerability is not limited to HTTP protocol, you can perform requests to different protocols such as file://, phar://, gopher://, data://, dict://, etc.

Finally, this vulnerability is hard to find in the wild and requires manual analysis to find a valid input. So there is no special trick to finding them.

Filter bypass

Commonly, most applications with SSRF behaviour are built with defences trying to prevent malicious exploitation. In order to bypass these defences, there are several approaches.

Black List bypass

Some applications might block input containing hostnames like 127.0.0.1 or localhost, which can be circumvented using the following techniques:

  • Alternative representation of 127.0.0.1: 2130706433, 017700000001, 127.1

  • Registering a domain/subdomain that resolves into 127.0.0.1.

  • Obfuscate the blocked string using URL encoding or case variation.

White List bypass

In this case, the application only allows input that contains, begins or ends with a certain string. In this case, you can circumvent the filter with the following techniques:

  • https://<EXPECTED_VALUE>@<EVIL_DOMAIN>/

  • https://<EVIL_DOMAIN>#<EXPECTED_VALUE>/

  • https://<EXPECTED_VALUE>.<EVIL_DOMAIN>/

  • URL encoding.

  • Combinations of all of the above.

References

Last updated 2 years ago

Testing for Server-Side Request Forgery
Server-side request forgery (SSRF)