Vulnerability Category: A6- Security Misconfiguratio
Vulnerability Description: Server Side Request Forgery (SSRF) refers to an attack where in an attacker is able to send a crafted request from a vulnerable web application.
In a simple way — Attacker asks the server to fetch a URL for him
Example
GET /?url=http://google.com/ HTTP/1.1
Host: redacted.com
Here redacted.com fetch http://google.com from its server
Types of SSRF –
Basic : The one which displays response to the attacker so after the server fetches the URL asked by attacker for him, it will send the response back to attacker
Blind : The one which does not display response directly. We will come to know this vulnerability existence by observing response status and response time
Thing to Remember while checking for SSRF
● Try URL schemas to read internal and make server perform actions (file:///, dict://, ftp://, gopher://..)
Impact:
● An attacker can perform RCE using SSRF
● On cloud based services using SSRF , one can possible to gain sensitive tokens/ credentials or metadata information
Recommendation:
● It is strongly advised to use a whitelist of allowed domains and protocols from where the web server can fetch remote resources.
Severity : High
CVSS v3.0 Score: 8.3
CVSS v3.0 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L
How to Test:
Scenario 1: End points which fetch external/internal resources
● http://redacted.com/index.php?page=about.php
● http://redacted.com/index.php?page=https://google.com
● http://redacted.com/index.php?page=file:///etc/passwd
Scenario 2: Change URLS in post request
Scenario 3: Server converts file uploads to a PDF , try injecting <iframe>,<img>,<base> or <script> functions pointing to internal services
<iframe src=”file:///etc/passwd” width=”400" height=”400">
<iframe src=”file:///c:/windows/win.ini” width=”400" height=”400">
Scenario 3 : File Uploads
When there is a file upload and if you see input type =”file” in the request try to change it to input type=”url” and pass the url
Tools to use:
1)SSRF Map
Link: https://github.com/dreadlocked/SSRFmap
2) Match and Replace script for BurpSuite
Link: https://github.com/Leoid/MatchandReplace
Note: This is just draft for submitting vulnerability in programs and i will also update the content .
