Generic SSRF Vulnerability Scanner
Server-side request forgery (SSRF), is a vulnerability that allows an attacker to execute unauthorized requests from the perspective of the webserver. SSRF can be used to access sensitive data, such as internal network resources and user data, or to launch attacks on other systems from the webserver. The impact of SSRF attacks can be significant. They can allow attackers to arbitrary command execution, access internal apps, and even scan ports in the local network.
Short Info
Level
High
Single Scan
Single Scan
Can be used by
Asset Owner
Estimated Time
10 seconds
Time Interval
3 days
Scan only one
URL, Request
Toolbox
-
Sample Attack Scenario For Server-Side Request Forgery
Consider a vulnerable web application that allows users to screenshot of webpages.
Pseudo SSRF Vulnerable Web Page:
WEBPAGE = get_input(PAGE) CONTENT = get_content_of(WEBPAGE) IMAGE = create_an_image(CONTENT) show_image(IMAGE)
Pseudo-code given above takes an URL as an input, gets the content of the URL, creates an image, and then image to the user.
The simple scenario is a user gives https://google.com as input and sees a screenshot of google.
However, if the attacker gives input as http://localhost, file://etc/passwd, or http://127.0.0.1:8080 the vulnerable app will request to given URLs and show screenshots of local apps or files. Since the request will be made by the webserver this vulnerability is called server-side request forgery (SSRF).
It is also important to note that not all SSRF vulnerabilities can be easily exploited. In some cases, it may be necessary for an attacker to have access to the target system or network in order to exploit the vulnerability. Additionally, some SSRF vulnerabilities may require specific knowledge or techniques to be exploited.
Sample Payloads for SSRF
Payload is a string that is used to execute an attack. The following are some example payloads that can be used to exploit SSRF vulnerabilities:
- http://localhost:8080 - This will request the localhost webserver on port 8080
- file:///etc/passwd - This will request the local filesystem and display the contents of /etc/passwd
- http://127.0.0.1 - This will request the local machine on IP address 127.0.0.1
- jar:http://127.0.0.1!/ - This will request the local machine on IP address 127.0.0.1 (Java only)
- sftp://attacker.com:11111/ - A network protocol used for secure file transfer over secure shell
- tftp://attacker.com:12346/TESTUDPPACKET - Trivial File Transfer Protocol, works over UDP
- ldap://localhost:11211/%0astats%0aquit - Lightweight Directory Access Protocol. It is an application protocol used over an IP network to manage and access the distributed directory information service.