Bug Hunting: SSRF attack

What is SSRF attack?

I have always been curious about finding out SSRF vulnerability. This was the one the bugs that I have recently identified in my target application.

Enumeration:

When I was checking the target application, I will normally look for any URL redirection parameter. This can be identified in multiple ways.

  1. URL query parameters
  2. Search for URL/redirect/http/.com string values in burpsuite sitemap
  3. Use waybackurl tool to identify any historic links have any redirection parameter or not.

4. Look at your request and responses for the redirection parameter

I have found the redirection parameter in the response body when I was fiddling around with the request.

Attack scenario:

Pre-requisite: Get burp collaborator client ready and running and keep the domain values generated out of the collaborator.

What is burp collaborator?

How to burp collaborator?

Steps to Blind SSRF

  1. Initially, login to the target application and edit the profile
  2. Intercept the RESPONSE via burpsuite and inject the payload in “redirectUrl” parameter
  3. The target server was making a request to a burp collaborator. Eventually, the ip address of the server was identified.
  4. Next using this server IP details let us try to scan the ports
  5. First, check for port 22. Try to inject “http://106.***.**.*:22" in “redirectUrl” parameter and the application was providing the responses differently

Since, the application is directly delivering the results, the attacker needs to analyse the response behaviour and identify the open ports.

Scenario: Port 443 is open

Let us check how the application server responds to an open port. Now, I have provided port 443 along with the IP address in the redirectUrl parameter.

ip:443 given in redirectUrl parameter

The below response was shown in the browser.

Port is open

Since the port was open and http were given, the application server was saying to secure the connection.(It means to switch from http to https)

Scenario: Port 22 is closed

As we can see there are different sorts of behaviors by application servers.

Timeline:

  • Submitted on 29 Apr 2020
  • 13 Mar 2020 marked as a duplicate
  • 13 Mar 2020 provided more submission for blind SSRF
  • 14 Mar 2020 bug accepted as Server-Side Request Forgery (SSRF).

If you like the content, please follow me on medium and LinkedIn

LinkedIn: https://www.linkedin.com/in/pravin-r-p-oscp-28497712b/

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store