The Hacker Recipes
GitHubTwitterDonate
Searchโ€ฆ
Introduction
Active Directory
Reconnaissance
Movement
Persistence
Web services
Reconnaissance
Configuration
Accounts and sessions
User inputs
๐Ÿ› ๏ธ File inclusion
SQL injection
XSS (Cross-Site Scripting)
Unrestricted file upload
CSRF (Cross-Site Request Forgery)
๐Ÿ› ๏ธ HTTP parameter pollution
IDOR (Insecure Direct Object Reference)
Open redirect
Insecure JSON Web Tokens
Insecure Cookies
๐Ÿ› ๏ธ SSTI (Server-Side Template Injection)
๐Ÿ› ๏ธ Insecure deserialization
SSRF (Server-Side Request Forgery)
XXE injection
๐Ÿ› ๏ธ CRLF injection
HTTP response splitting
๐Ÿ› ๏ธ Arbitrary file download
๐Ÿ› ๏ธ Directory traversal
๐Ÿ› ๏ธ Null-byte injection
๐Ÿ› ๏ธ Content-type juggling
Systems & services
Reconnaissance
Movement
Privilege escalation
Pivoting
๐Ÿ› ๏ธ Physical
Locks
Networking
Machines
Super secret zones
๐Ÿ› ๏ธ Intelligence gathering
CYBINT
OSINT
GEOINT
๐Ÿ› ๏ธ RADIO
RFID
Bluetooth
Wi-Fi
Wireless keyboard/mouse
๐Ÿ› ๏ธ binary exploitation
Use-after-free
Buffer overflow
๐Ÿ› ๏ธ mobile apps
Android
iOS
Powered By GitBook
SSRF (Server-Side Request Forgery)

Theory

A Server-Side Request Forgery (a.k.a. SSRF) is a web vulnerability allowing attackers to make the server-side application do certain requests. This vulnerability can lead to unauthorized actions, Sensitive Information Disclosure and even RCE (Remote Code Execution).
SSRF is very similar to file inclusion since both vulnerabilities can be exploited to access external or internal content. The difference resides in the fact that file inclusion vulnerabilities rely on code inclusion functions (e.g. include() in PHP) while SSRF ones on functions that only handle data (e.g. fopen() in PHP). RFI vulnerabilities will lead to RCE much more often and easily that SSRF ones.

Practice

Testers need to find input vectors and fields that could be used for publishing or importing data from a URL (e.g. GET and POST parameters).
With http://some.website/index.php?url=https://someother.website/index.php, and url being the vulnerable parameter, the following basic payloads can help a tester fetch content of files, scan ports, access filtered resources and so on.
1
file://PATH/TO/FILE
2
http://127.0.0.1:80
3
http://127.0.0.1:22
Copied!
โ€‹SSRFMap (Python) is a tool used to ease the exploitation of SSRFs. Gopherus (Python) can be used to gain RCE (Remote Code Execution) by generating Gopher payloads.

References

What is SSRF (Server-side request forgery)? Tutorial & Examples | Web Security Academy
WebSecAcademy
Server Side Request Forgery Software Attack | OWASP Foundation
PayloadsAllTheThings/Server Side Request Forgery at master ยท swisskyrepo/PayloadsAllTheThings
GitHub
Previous
๐Ÿ› ๏ธ Insecure deserialization
Next
XXE injection
Last modified 1yr ago
Copy link
Edit on GitHub
Contents
Theory
Practice
References