The Hacker Recipes
GitHubTwitterExegolTools
Search…
Introduction
Active Directory
Reconnaissance
Movement
Persistence
Web services
Reconnaissance
Configuration
Accounts and sessions
User inputs
🛠️ File inclusion
SQL injection
XSS (Cross-Site Scripting)
Unrestricted file upload
CSRF (Cross-Site Request Forgery)
🛠️ HTTP parameter pollution
IDOR (Insecure Direct Object Reference)
Open redirect
Insecure JSON Web Tokens
Insecure Cookies
🛠️ SSTI (Server-Side Template Injection)
🛠️ Insecure deserialization
SSRF (Server-Side Request Forgery)
XXE injection
🛠️ CRLF injection
HTTP response splitting
🛠️ Arbitrary file download
🛠️ Directory traversal
🛠️ Null-byte injection
🛠️ Content-type juggling
Systems & services
Reconnaissance
Movement
Privilege escalation
Pivoting
🛠️ Physical
Locks
Networking
Machines
Super secret zones
🛠️ Intelligence gathering
CYBINT
OSINT
GEOINT
🛠️ RADIO
RFID
Bluetooth
Wi-Fi
Wireless keyboard/mouse
🛠️ mobile apps
Android
iOS
Powered By GitBook
SSRF (Server-Side Request Forgery)

Theory

A Server-Side Request Forgery (a.k.a. SSRF) is a web vulnerability allowing attackers to make the server-side application do certain requests. This vulnerability can lead to unauthorized actions, Sensitive Information Disclosure and even RCE (Remote Code Execution).
SSRF is very similar to file inclusion since both vulnerabilities can be exploited to access external or internal content. The difference resides in the fact that file inclusion vulnerabilities rely on code inclusion functions (e.g. include() in PHP) while SSRF ones on functions that only handle data (e.g. fopen() in PHP). RFI vulnerabilities will lead to RCE much more often and easily that SSRF ones.

Practice

Testers need to find input vectors and fields that could be used for publishing or importing data from a URL (e.g. GET and POST parameters).
With http://some.website/index.php?url=https://someother.website/index.php, and url being the vulnerable parameter, the following basic payloads can help a tester fetch content of files, scan ports, access filtered resources and so on.
file://PATH/TO/FILE
http://127.0.0.1:80
http://127.0.0.1:22
SSRFMap (Python) is a tool used to ease the exploitation of SSRFs. Gopherus (Python) can be used to gain RCE (Remote Code Execution) by generating Gopher payloads.

References

What is SSRF (Server-side request forgery)? Tutorial & Examples | Web Security Academy
WebSecAcademy
Server Side Request Forgery Software Attack | OWASP Foundation
PayloadsAllTheThings/Server Side Request Forgery at master · swisskyrepo/PayloadsAllTheThings
GitHub
Previous
🛠️ Insecure deserialization
Next
XXE injection
Last modified 1yr ago
Copy link
Outline
Theory
Practice
References