Server Side Request Forgery - ssrf


Published on

Server-Side Request Forgery - SSRF

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Server Side Request Forgery - ssrf

  1. 1. • Server Side Request Forgery (SSRF) is a vulnerability that appears when an attacker has the ability to create requests from the vulnerable server. • Creates requests from the vulnerable server to intranet/internet. • SSRF usually attacks targets on the internal systems that are located behind a firewall and normally inaccessible from the outside world. • With SSRF it's possible to access these systems.
  2. 2. • Using a protocol supported by available URI schemas, you can communicate with services running on other protocols. • By providing URLs to unexpected hosts or ports, attackers can make it appear that the server is sending the request, possibly bypassing access controls such as firewalls that prevent the attackers from accessing the URLs directly. • The server can be used as a proxy to conduct port scanning of hosts in internal networks, use other URLs such as that can access documents on the system (using file://).
  3. 3. • Basically Packet A Packet B – Attacker sends Packet A to Service A – Service A sends Packet B to service B – Services can be on same or different hosts – Possible to manipulate some fields of packet B within packet A – Different SRF attacks depend on how many fields can be controlled
  4. 4. • Smuggling Requests using services running to communicate. • With SSRF it's also possible to access services from the same server that is listening on the loopback interface.
  5. 5. • The difference between various SSRF attacks depends on how much value of packet B we can control with packet A. So there are 4main types of SSRF attacks: • –Trusted SSRF : When we can send requests (Packet B) to remote services but only to those which are somehow predefined • –Remote SSRF : When we can send requests (Packet B) to any remote IP and port. This type has 3 subtypes depending on how much data we can control – Simple Remote SSRF: No control on application level of Packet B – Partial Remote SSRF : Control on some fields of application level of Packet B – Full Remote SSRF : Full control on application level of Pack SSRF Types
  6. 6. • cURL - extensive support of URL schemas other than HTTP/HTTPS. • If the vulnerable server is using cURL to make HTTP requests, it's possible to use the dict URL schema to make requests to any host on any port and send custom data. • The URL dict://locahost:11211/stat will cause the server to connect to localhost on port 11211 and send the string "stat". • Port 11211 is the default port used by Memcached which is not accessible from outside. • With this URL it's possible to connect to the local Memcached server and issue various commands. • • Normally, Also, Memcached doesn't support any type of authentication and therefore the attacker can issue any type of command. SSRF Cheat Sheet