Open in app

Sign in

Write

Sign in

Bug Hunting: SSRF attack

Pravinrp
3 min readOct 12, 2020

What is SSRF attack?

What is SSRF (Server-side request forgery)? Tutorial & Examples | Web Security Academy

In this section, we'll explain what server-side request forgery is, describe some common examples, and explain how to…

portswigger.net

I have always been curious about finding out SSRF vulnerability. This was the one the bugs that I have recently identified in my target application.

Enumeration:

When I was checking the target application, I will normally look for any URL redirection parameter. This can be identified in multiple ways.

  1. URL query parameters
  2. Search for URL/redirect/http/.com string values in burpsuite sitemap
  3. Use waybackurl tool to identify any historic links have any redirection parameter or not.

tomnomnom/waybackurls

Fetch all the URLs that the Wayback Machine knows about for a domain GitHub is home to over 50 million developers…

github.com

4. Look at your request and responses for the redirection parameter

I have found the redirection parameter in the response body when I was fiddling around with the request.

Attack scenario:

Pre-requisite: Get burp collaborator client ready and running and keep the domain values generated out of the collaborator.

What is burp collaborator?

Burp Collaborator

This section contains information about What Burp Collaborator is, How Burp Collaborator works, Security of data…

portswigger.net

How to burp collaborator?

Steps to Blind SSRF

  1. Initially, login to the target application and edit the profile
  2. Intercept the RESPONSE via burpsuite and inject the payload in “redirectUrl” parameter
  3. The target server was making a request to a burp collaborator. Eventually, the ip address of the server was identified.
  4. Next using this server IP details let us try to scan the ports
  5. First, check for port 22. Try to inject “http://106.***.**.*:22" in “redirectUrl” parameter and the application was providing the responses differently

Since, the application is directly delivering the results, the attacker needs to analyse the response behaviour and identify the open ports.

Scenario: Port 443 is open

Let us check how the application server responds to an open port. Now, I have provided port 443 along with the IP address in the redirectUrl parameter.

ip:443 given in redirectUrl parameter

The below response was shown in the browser.

Port is open

Since the port was open and http were given, the application server was saying to secure the connection.(It means to switch from http to https)

Scenario: Port 22 is closed

As we can see there are different sorts of behaviors by application servers.

Timeline:

  • Submitted on 29 Apr 2020
  • 13 Mar 2020 marked as a duplicate
  • 13 Mar 2020 provided more submission for blind SSRF
  • 14 Mar 2020 bug accepted as Server-Side Request Forgery (SSRF).

If you like the content, please follow me on medium and LinkedIn

LinkedIn: https://www.linkedin.com/in/pravin-r-p-oscp-28497712b/

Bug Bounty

--

--

Pravinrp

Written by Pravinrp

854 Followers

OSCP/Security geek &researcher(Application/infrastructure/Mobile/cloud security)

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams