Gaining Access through Server-side Request Forgery

Introduction

Server-side request forgery (SSRF) is a vulnerability found in websites and web applications. This vulnerability allows an attacker to trick a website into sending requests to another server on the internet. Due to SSRF, unauthorized requests that were not intended to be sent can proceed. This enables an attacker to read sensitive data on the website’s server and execute unauthorized requests on it.

Table of Contents

Basic SSRF against the local server
Basic SSRF against another back-end system
SSRF with blacklist-based input filter
SSRF with filter bypass via open redirection vulnerability
Blind SSRF with out-of-band detection
SSRF with whitelist-based input filter
Blind SSRF with Shellshock Exploitation

Basic SSRF Against the Local Server: PortSwigger Web Security

Lab Description

This lab features a stock check feature that fetches data from an internal system or server. To solve this lab, we need to modify the stock check URL and gain access to the internal system as an admin. Once we have accessed the internal network, we must delete the user “Carlos” to solve the lab.

Gaining Access through Server-side Request Forgery

Lab Solution

First, access the lab and view any product. Then, open Burp Suite and capture the request when checking the stock.

When I clicked on “View Product” and intercepted the “Check Stock” request, I received a “stockApi” key that fetches data from the internal network.

First, we need to test whether this API is vulnerable to SSRF.

To test the API, I inserted a Burp Collaborator payload into the API and forwarded the request.

As you can see, I received DNS and HTTP requests in Burp Collaborator. This means that the API feature is vulnerable to SSRF.

I inserted “http://localhost/” into the stockApi key, and I gained access to the internal network.

When I added “admin” after “localhost,” I gained access to the admin panel.

http://localhost/admin

Now, we need to delete Carlos’s account.

“http://localhost/admin/delete?username=carlos“

By using this command, we were able to delete Carlos’s account.

We deleted carlos account.

So, we solved the lab Server-side Request Forgery after deleting Carlos.

In the next labs, we will solve the rest labs. Don’t forget to follow us on Twitter @masaudsec.

Check Out: What Is Authentication Vulnerabilities

To continue studying check out the next lab i.e. Basic SSRF Against Another Back-End System, cover the current lab before visiting the next lab. Good Luck!