SSRF (Server Side Request Forgery) is one of the most common web security vulnerability that allows an attacker to induce the server-side application to make requests to an unintended location.
In a typical SSRF attack, the attacker or intruder might cause the web server to make a connection to internal-only services within the organization’s infrastructure. In other cases, they may be able to force the server to connect to arbitrary external systems, potentially leaking sensitive data such as authorization credentials, sensitive files etc.
Following is the PHP code which is vulnerable to SSRF:
<?php
if (isset($_GET[‘request’])){
$request = $_GET[‘request’];
$image = fopen($request, ‘rb’);
header(“Content-Type: image/png”);
fpassthru($image);
}
?>
In the above example, the attacker has full control of the request parameter. They can make arbitrary GET requests to any website on the Internet and to resources on the server (localhost).
GET /?request=http://localhost/server-status HTTP/1.1
Host: example.com
Attackers can also use the same attack to make requests to other internal resources, which are not publicly available. For example, they can access cloud service instance metadata like AWS/Amazon EC2 and OpenStack. An attacker can even get creative with SSRF and run port scans on internal IPs.
GET /?request=http://x.x.x.x/latest/meta-data/ HTTP/1.1
Host: example.com
Apart from these URL schemas, an attacker may take advantage of lesser-known or legacy URL schemas to access sensitive files on the local system or on the internal network. An attacker can easily retrieve the content of arbitrary files on the system, which leads to sensitive information exposure (passwords, source code, confidential data, etc.).
GET /?request=file:///etc/passwd HTTP/1.1
Host: example.com
Below is the list of few parameters or dorks through which you can hunt for SSRF vulnerable websites:
- ?host=
- ?redirect=
- ?uri=
- ?path=
- ?continue=
- ?url=
- ?window=
- ?next=
- ?data=
- ?image-source=
- ?n=
- ?to=
- ?follow=
- ?u=
- ?go=
- ?fetch=
- ?source=
- ?img-src=
You may also read:
- The Hacker’s Methodology – A Brief Guide
- The 15 Point Checklist For Securing the Web Servers
- 17 Most Common Web Security Vulnerabilities
- Top 10 Different Types of Hacking Attacks
- Detecting Hacker Attacks For Windows and Linux OS
- Top 4 Factors Affecting Physical Security
- Hacking Web Applications and its Countermeasures
- Security Awareness and User Training – Why Is It So Important In 2022?
- 4 Easy Steps To Secure Your Kali Linux Operating System
- Top 5 Automatic Recon Tools for Bug Bounty