What is SSRF attack?
What is SSRF (Server-side request forgery)? Tutorial & Examples | Web Security Academy
In this section, we'll explain what server-side request forgery is, describe some common examples, and explain how to…
I have always been curious about finding out SSRF vulnerability. This was the one the bugs that I have recently identified in my target application.
When I was checking the target application, I will normally look for any URL redirection parameter. This can be identified in multiple ways.
- URL query parameters
- Search for URL/redirect/http/.com string values in burpsuite sitemap
- Use waybackurl tool to identify any historic links have any redirection parameter or not.
Fetch all the URLs that the Wayback Machine knows about for a domain GitHub is home to over 50 million developers…
4. Look at your request and responses for the redirection parameter
I have found the redirection parameter in the response body when I was fiddling around with the request.
Pre-requisite: Get burp collaborator client ready and running and keep the domain values generated out of the collaborator.
What is burp collaborator?
This section contains information about What Burp Collaborator is, How Burp Collaborator works, Security of data…
How to burp collaborator?
Steps to Blind SSRF
- Initially, login to the target application and edit the profile
- Intercept the RESPONSE via burpsuite and inject the payload in “redirectUrl” parameter
- The target server was making a request to a burp collaborator. Eventually, the ip address of the server was identified.
- Next using this server IP details let us try to scan the ports
- First, check for port 22. Try to inject “http://106.***.**.*:22" in “redirectUrl” parameter and the application was providing the responses differently
Since, the application is directly delivering the results, the attacker needs to analyse the response behaviour and identify the open ports.
Scenario: Port 443 is open
Let us check how the application server responds to an open port. Now, I have provided port 443 along with the IP address in the redirectUrl parameter.
The below response was shown in the browser.
Since the port was open and http were given, the application server was saying to secure the connection.(It means to switch from http to https)
Scenario: Port 22 is closed
As we can see there are different sorts of behaviors by application servers.
- Submitted on 29 Apr 2020
- 13 Mar 2020 marked as a duplicate
- 13 Mar 2020 provided more submission for blind SSRF
- 14 Mar 2020 bug accepted as Server-Side Request Forgery (SSRF).