🟩Server-Side Request Forgery (SSRF)
Induce the server-side application to make HTTP requests to an arbitrary domain of the attacker's choosing.
Exploiting
SSRF against the server itself
Attacker induces the application to make an HTTP request back to the server that is hosting the application, via its loopback network interface (EX: http://localhost/admin)
SSRF against other back-end systems
Attacker can exploit the SSRF vulnerability to access the other interface by submitting a internal HTTP request (EX: http://192.168.1.105/admin)
Blind SSRF vulnerabilities
Response from the back-end request is not returned in the application's front-end response
Find vulnerability
Observe a DNS look-up for the supplied Burp Collaborator domain
Example (Blind SSRF with Shellshock exploitation)
Bypass
Bypass blacklist-based
Change "127.0.0.1" to
Registering your own domain name that resolves to 127.0.0.1. You can use "spoofed.burpcollaborator.net" for this purpose
Obfuscating blocked strings using URL encoding or case variation. Example
Bypass whitelist-based
Using "@" char
https://expected-host@evil-host.netUsing "#" char
https://evil-host#expected-host.netCreate a invalid domain
https://expected-host.evil-host.netUse URL-encode characters to confuse the URL-parsing code
http://localhost:80%2523@evil-host.net/admin
Bypassing SSRF filters via open redirection
Exapmle-1
/product/nextProduct?currentProductId=6&path=http://192.168.0.68/admin
Exapmle-2
If "/product/stock" vulnerable to SSRF and "/nextProduct" vulnerable to OpenRedirect, Then
Last updated