SSRF
SSRF attack cause the server to make a connection to internal services within the organization, or force the server to connect to arbitrary external systems, potentially leaking sensitive data. Burp scanner may detect SSRF issue as an,
External service interaction (HTTP)
.
SSRF Sample payloads.
Alternative IP representation of
127.0.0.1
:
2130706433
017700000001
127.1
Bypass blacklist filter
Double URL encode characters in URL to Obfuscate the
a
to%2561
, resulting in the bypass of the blacklist filter.
Identify the SSRF in the
stockAPI
parameter, and bypass the block by changing the URL target localhost and admin endpoint to:http://127.1/%2561dmin
.
Absolute url and localhost Host header
Identify SSRF flawed request parsing vulnerability by changing the
HOST
header to Collaborator server and providing an absolute URL in the GET request line and observe the response from the Collaborator server.
Routing host ssrf
Identify routing-based SSRF by altering the host header on request and observe the response. Routing-based SSRF via the Host header allow insecure access to a localhost Intranet.
!Remember about adding csrf and session cookies
Open redirection
The target make GET request to the next product on the e-commerce site, using a path parameter. On the stockAPI POST request the value provided in body data is the partial path to internal system. See product page source code
below.
In this lab they state the admin interface is at
http://192.168.0.12:8080/admin
but in exam use thelocalhost:6566
.
On the POST stock request, replace the StockAPI value with the partial path, not the absolute URL, from the
nextProduct
GET request URL as the value of thestockAPI
parameter.
Last updated