Server-side request forgery (SSRF) is a web security vulnerability that occurs when an application performs a request without validating the remote host provided by the user. An attacker can exploit this in different ways depending on how the program handles the response from the requested remote host. Most commonly, the attacker makes a request to the application's internal network and tries to access internal services. This may allow the attacker to access sensitive information and/or exploit new vulnerabilities in the discovered services.
Imagine the following PHP code that uses the cURL library to send a simple HTTP request.
The PHP code takes user input from the GET parameter
url without validating its value. An attacker An attacker can therefore set any host as a value and perform an HTTP request from the vulnerable server.
To exploit this server-side request forgery (SSRF) vulnerability in the
url parameter, we can make a HTTP request as follows:
When this request is made to the vulnerable application, it will extract the value from the
url parameter and make an internal request to itself.
We can perform a fuzz attack to see if we can detect any HTTP service running on another port internally on our target. To do this, we will use the Wfuzz tool and give it the following arguments:
This command prepares a fuzz attack and tests all 65535 ports to see if any of the ports are open for us to interact with. Once an open port is found, we can continue the attack by trying to exploit the service running on that specific port.