=

Server-side Request Forgery

What is Server-side Request Forgery ?

Server-side request forgery is a web security vulnerability that allows an attacker to cause the server-side application to make requests to an unintended location.

When ssrf occurs ?

Ssrf commonly occurs when website uses the functionality of passing the URL to the relevant back-end API endpoint via a front-end HTTP request. An attacker may change the urls to perform some action on the behalf of server.

    Outcomes of a successfull ssrf attack :

  1. Attacker can access the private network of webservers.
  2. Attacker can trick/use other services on the behalf of webservers.(commonly using APIs)

    If some characters are blacklisted ::

  1. Use an alternative ip. example ➼127.0.0.1➼2130706433➼017700000001➼127.1➼localhost
  2. Register your own domain name that resolves to 127.0.0.1 (spoofed.burpcollaborator.net)
  3. Obfuscate blocked strings using URL encoding or case variation.
  4. Provide a URL that you control, which redirects to the target URL. Try using different redirect codes, as well as different protocols for the target URL. For example, switching from an http: to https: URL during the redirect has been shown to bypass some anti-SSRF filters.

    If some characters are whitelisted ::

  1. Embed credentials in a URL before the hostname, using the @ character. https://expected-host:fakepassword@evil-host
  2. Use the # character to indicate a URL fragment.
    https://evil-host#expected-host
  3. DNS name that is controled by you (with whitelisted characters)
    https://expected-host.evil-host
  4. Using URL-encode characters or double-encoding characters.