SSRF (Server Side Request Forgery) is one of the most common web security vulnerability that allows an attacker to induce the server-side application to make requests to an unintended location.
In a typical SSRF attack, the attacker or intruder might cause the web server to make a connection to internal-only services within the organization’s infrastructure. In other cases, they may be able to force the server to connect to arbitrary external systems, potentially leaking sensitive data such as authorization credentials, sensitive files etc.
Following is the PHP code which is vulnerable to SSRF:
$request = $_GET[‘request’];
$image = fopen($request, ‘rb’);
In the above example, the attacker has full control of the request parameter. They can make arbitrary GET requests to any website on the Internet and to resources on the server (localhost).
GET /?request=http://localhost/server-status HTTP/1.1
Attackers can also use the same attack to make requests to other internal resources, which are not publicly available. For example, they can access cloud service instance metadata like AWS/Amazon EC2 and OpenStack. An attacker can even get creative with SSRF and run port scans on internal IPs.
GET /?request=http://x.x.x.x/latest/meta-data/ HTTP/1.1
Apart from these URL schemas, an attacker may take advantage of lesser-known or legacy URL schemas to access sensitive files on the local system or on the internal network. An attacker can easily retrieve the content of arbitrary files on the system, which leads to sensitive information exposure (passwords, source code, confidential data, etc.).
GET /?request=file:///etc/passwd HTTP/1.1
Below is the list of few parameters or dorks through which you can hunt for SSRF vulnerable websites: