AppSecExplained
  • Index < START HERE
    • My courses
    • How to get started from zero
  • 📽️Live Stream Content
    • Resource of the week
  • Discovery / Recon
    • Methodology
    • Content discovery / recon
      • Subdomains
      • Endpoints
      • Parameters
      • Spidering
  • Common vulns
    • SQL injection overview
      • Detection
      • Blind SQLi
      • Second-order SQLi
      • SQLi lab setup & writeups
    • NoSQL injection
    • JavaScript injection (XSS)
      • XSS Methodology
    • File Inclusion
      • Local file inclusion
        • Directory traversal
    • Command injection
    • XXE (XML external entity) injection
      • Blind XXE
    • Template injection
      • Server-side template injection
      • Client-side template injection
    • Authentication
      • Attacking password-based authentication
      • Attacking MFA
      • Authentication lab setup & writeups
    • Cross-Site Request Forgery (CSRF)
    • Insecure deserialization
      • PHP
      • Java
      • Python
      • .NET
    • Server-side request forgery (SSRF)
    • Insecure file upload
    • Clickjacking
    • Open redirect
    • Vulnerable components
    • Race conditions
      • Limit overrun
    • Prototype pollution
      • Client-side prototype pollution
    • APIs
      • API: BOLA
      • API: Broken authentication
      • BOPLA
      • API: BFLA
  • Bypassing controls
    • Rate limiting
    • WAF Bypasses
  • Scripts
    • Docker-compose.yml files
      • Wordpress
      • SQLi testing labs
    • PHP scripts
      • RCE Function Check
    • Wordlists
      • Single characters
      • SQLi
  • Code review
    • Getting started
    • Sinks
  • Links worth your time
    • Practical API Hacking
    • Rana Khalil's Web Security Academy Course
    • Portswigger's Web Security Academy
    • TCM Security Discord
    • PentesterLand Writeups
Powered by GitBook
On this page
  • What is it?
  • Checklist
  • Exploitation

Was this helpful?

  1. Common vulns

Server-side request forgery (SSRF)

What is it?

Server-Side Request Forgery (SSRF) is a vulnerability that allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain of the attacker's choosing. It can be used by an attacker to interact with internal systems, possibly bypassing firewalls or accessing unauthorized data.

A simple example

A vulnerable web application uses a parameter to retrieve an image from a URL, i.e., /loadImage?url={imageURL}. An attacker can potentially change the {imageURL} to point to internal resources that should not be exposed, such as http://localhost/admin or http://internal-service/api/secrets.

The impact of an SSRF vulnerability includes:

  • Access to internal services and data

  • Remote code execution

  • Denial of Service (DoS)

Other learning resources:

  • PortSwigger: https://portswigger.net/web-security/ssrf

  • Swisskyrepo: https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Request%20Forgery

Checklist

Exploitation

# Basic internal interaction
http://localhost/admin

# Using alternative IP notation (for 127.0.0.1)
http://2130706433 

# Cloud metadata exposure (AWS)
http://169.254.169.254/latest/meta-data/
Previous.NETNextInsecure file upload

Last updated 1 year ago

Was this helpful?