What is Server-side Request Forgery (SSRF)?

Explore Server-Side Request Forgery (SSRF) in this section, gaining insights into its nature and citing common examples. The guide aids in identifying and exploiting vulnerabilities, where attackers manipulate server functions for internal resource access. By altering URLs in server code, they extract sensitive information, connect to HTTP-enabled databases, or send unauthorized requests to internal services, ensuring robust system security.

What is SSRF?

Server-Side Request Forgery (SSRF) is a web security vulnerability that allows an attacker to manipulate and control internal and external network services through the application. This vulnerability occurs when a web application makes an HTTP request, which can be both internal and external, on behalf of the user, without properly verifying the source or destination of the request.

The attacker can use this vulnerability to launch a range of attacks, including accessing restricted network resources, compromising sensitive data, and even performing Remote Code Execution (RCE) attacks. SSRF is a severe vulnerability as it allows an attacker to bypass firewalls and other security measures and directly attack the internal network.

Here, the user input (<user_input>) is passed directly to the url parameter, which is then used to make an HTTP request. If the application does not properly validate the source and destination of the request, an attacker can manipulate the url parameter to make a request to any internal or external service.

For example, if the attacker provides the following input:

The web application will make a request to the internal service and potentially leak sensitive data. To prevent SSRF attacks, the application should validate the source and destination of the request to ensure that it is not being used to access restricted or malicious resources.

How to do SSRF Attacks Work

Server Side Request Forgery (SSRF) is a type of web application vulnerability that allows an attacker to manipulate a target server into sending requests on their behalf. The attacker exploits the vulnerable server to make requests to internal or external resources, including resources that are not accessible to the public.

The attack works by exploiting a vulnerable server-side component, such as a web application, to send HTTP requests to a target resource. The requests are made using the target server's IP address, allowing the attacker to bypass access controls and security measures.

In a typical SSRF attack, the attacker starts by sending a crafted HTTP request to the vulnerable server-side component. This request contains a URL that points to an internal or external resource, such as a database, a file server, or an internal API.

When the vulnerable component processes the request, it sends an HTTP request to the target resource on behalf of the attacker. This allows the attacker to access and extract sensitive information from the target resource, such as authentication credentials, private data, and configuration details.

Here's a simple example of an SSRF vulnerability in a PHP application:

In this example, an attacker can supply a URL that points to a sensitive resource, such as a database, and extract its contents. This type of attack is possible because the PHP application does not validate or sanitize the URL input, allowing the attacker to control the target resource.

Exploiting SSRF Vulnerability

Exploiting an SSRF vulnerability involves leveraging the vulnerability to make unauthorized requests from a server, typically to gain unauthorized access to sensitive information or to perform malicious actions. This is done by crafting a malicious request that the server will process, such as making a request to an internal network service or file system.

To exploit an SSRF vulnerability, an attacker will often manipulate the target server into making a request to a specific URL, such as a local host or intranet IP address. This can be achieved through a variety of methods, including URL encoding, base64 encoding, and manipulating HTTP headers. Once the attacker has successfully exploited the vulnerability, they can gain access to sensitive information or carry out malicious actions.

Techniques for Bypassing SSRF Protections

When it comes to exploiting SSRF vulnerability, there are several techniques that attackers can use to bypass the protections in place. Some of the most common techniques include:

1. URL Encoding

URL Encoding is a technique used to encode characters in a URL in order to represent special characters and characters outside the ASCII set. This is important for URL encoding because URLs can only contain characters within the ASCII range and the special characters ";", "/", "?", ":", "@", "=" and "&". When characters outside of this range or special characters need to be included in a URL, they are URL-encoded. This is done by converting the character into its corresponding ASCII code and representing it as a percent-encoded value.

In the context of SSRF, URL encoding can be used as a technique for bypassing SSRF protections. By encoding a URL, an attacker can attempt to send a request to a different URL than what is intended by the application. For example, a web application might limit the URL that can be requested to only internal resources. By URL encoding a special character, the attacker can attempt to bypass this restriction and request an external resource.

2. Null Byte Injection

Null Byte Injection is a technique used to bypass web application firewalls and filters. It works by exploiting the way that some web applications handle the null byte (\0) character, which is used in C programming to mark the end of a string. When the null byte character is used in an HTTP request, it can be interpreted by a web application as the end of the input, even if there is more data after it.

The technique of Null Byte Injection is to include the null byte character in a URL, which will be interpreted by the web application as the end of the URL and not include the characters that come after it. This can be used to bypass security filters and access resources that would normally be restricted.

Here is an example of a simple Null Byte Injection attack in Python:

In this example, the attacker is trying to access the file index.html by including the null byte character %00 in the URL. If the web application is vulnerable to Null Byte Injection, the request will be processed as if the attacker is trying to access the file index.html instead of index.html.jpg.

It's important to note that not all web applications are vulnerable to Null Byte Injection attacks. However, it is a useful technique to be aware of, as it can be a powerful tool for bypassing security filters and accessing restricted resources.

3. IPv6 Address Format

In this technique, the attacker can craft a URL with an IPv6 address instead of a domain name. Since IPv6 addresses are enclosed in square brackets, the attacker can bypass any input validation checks that may be in place. The application may treat the input as a valid IPv6 address and request the specified IP address.

For example, a vulnerable application may have a feature that allows users to enter a URL to fetch the contents of a web page. An attacker can enter a URL with an IPv6 address in square brackets, such as [::1], which represents the localhost IP address in IPv6. The application may treat this input as a valid IP address and make a request to the specified IP address, which in this case would be the localhost IP address.

4. Local File Inclusion

A scenario where an attacker can bypass SSRF using LFI is when the vulnerable application allows the user to specify a file path in the URL, and the application does not properly validate or sanitize the input. The attacker can craft a URL that includes a remote server IP address and a file path on the remote server. The application will then attempt to access the specified file on the remote server, effectively bypassing any restrictions that are in place to prevent direct access to the server.

To illustrate this, let's say that an attacker wants to access the file "/etc/passwd" on a remote server with an IP address of 10.10.10.10. The attacker can craft a URL like the following:

If the application is vulnerable to SSRF and does not properly validate the "file" parameter, it will attempt to access the "/etc/passwd" file on the remote server specified by the attacker.

5. DNS Rebinding

DNS Rebinding is a technique used by attackers to exploit Server-Side Request Forgery (SSRF) vulnerabilities by leveraging the Domain Name System (DNS) infrastructure. The goal of a DNS rebinding attack is to bypass firewall restrictions or access internal network resources that are only accessible from trusted sources.

Here is a basic example of a DNS rebinding attack:

1. The attacker creates a malicious website and registers a domain name, such as "attackersite.com", that resolves to the attacker's IP address.
2. The attacker lures the victim to visit the malicious website.
3. The attacker's website sends a request to the vulnerable server that is vulnerable to SSRF.
4. The request contains a URL that points to a subdomain of the attacker's domain, such as "subdomain.attackersite.com".
5. The vulnerable server resolves the subdomain to the IP address of the attacker's website.
6. The attacker changes the IP address of the subdomain to a private IP address that belongs to an internal resource within the target network, such as a database or a file server.
7. The vulnerable server sends a request to the private IP address, bypassing the firewall restrictions and accessing the internal resource.

How to Prevent SSRF

Preventing Server-Side Request Forgery (SSRF) vulnerability requires following best practices and implementing certain security measures:

• Input Validation: Ensure that all user input is validated and sanitized to prevent malicious payloads from being executed.
• Blacklisting: Blacklist known IP addresses and domains that are known to be dangerous.
• Whitelisting: Whitelist only trusted domains and IP addresses, and restrict access to only those.
• Access Control: Implement strict access control mechanisms to limit the privileges of the user who is executing the request.
• Network Segmentation: Segregate the network into different segments to reduce the attack surface and make it harder for attackers to access critical systems.
• Security Monitoring: Monitor your applications and systems for any suspicious activity, including SSRF attacks.
• Security Updates: Regularly update your software and systems to ensure that any security vulnerabilities are patched.
• Code Review: Conduct code reviews to identify and remediate SSRF vulnerabilities before they can be exploited.
• Awareness Training: Train your employees on the risks associated with SSRF, and how they can prevent it by following best practices.

Real-world Examples of SSRF Attacks

Real-world examples of SSRF attacks include:

• Information leakage: An attacker can use SSRF to access sensitive information such as internal network configurations, authentication credentials, or even source code.
• Unauthorized actions: SSRF can be used to carry out unauthorized actions, such as sending spam emails, executing malicious commands, or accessing restricted content.
• Internal network compromise: An attacker can use SSRF to penetrate an internal network, potentially compromising sensitive data and resources.
• Remote code execution: SSRF can be used to exploit vulnerabilities in remote systems, potentially leading to remote code execution and complete system compromise.
• Server denial of service: SSRF can also be used to launch a server-side denial of service attack, overwhelming the target system and causing it to become unavailable.