Server side request forgery vulnerabilities (SSRF) – (Part 1)

Friday, 17/03/2023

Tram Ho

I. Pose the problem

1. Introduction

Server-side request forgery (commonly referred to as SSRF) is a type of attack in which an attacker exploits a feature of a public server to gain unauthorized access to data from another specified website, usually web pages. back-end on the server itself. To better understand this type of vulnerability, let’s consider the following example:

In the image above, the attacker exchanges packets with a public server, taking advantage of this server to send requests to the back-end server (intranet). Now the back-end server parses and trusts this request because it is sent from the public server, then returns the response to the public server, and the public server continues to return data to the attacker. The attack process is complete, the way it works is the same as “borrowing a murder knife”! This is also why this type of attack is called “server-side request forgery” – attackers impersonate the server to “legitimately” retrieve sensitive data!

2. Influence

Attackers often take advantage of this type of attack to fake access requests to websites that require high permissions or are not within the reach of regular users, which can be admin pages, End points are only accessible locally or contain sensitive data. From there illegally collecting data or performing destructive acts, in some cases can escalate from SSRF attack to Command Injection attack. Server-side request forgery vulnerability is ranked at number

$10$ in Top Stats

$OWASP’s 10 Web Security Vulnerabilities$ in

$2021 (A10:2021-Server Side Request Forgery (SSRF))$

II. Analyze and exploit Server-side request forgery vulnerabilities

1. SSRF Vulnerability in Some Languages

1.1. PHP language

SSRF vulnerabilities can appear in the PHP programming language when developers do not properly use some functions that work with URLs. For example consider the following code using the file_get_contents() function:

<span class="token php language-php"><span class="token delimiter important">&lt;?php</span>
<span class="token keyword">if</span> <span class="token punctuation">(</span> <span class="token keyword">isset</span> <span class="token punctuation">(</span> <span class="token variable">$_GET</span> <span class="token punctuation">[</span> <span class="token string single-quoted-string">'url'</span> <span class="token punctuation">]</span> <span class="token punctuation">)</span> <span class="token punctuation">)</span> <span class="token punctuation">{</span>
    <span class="token variable">$url</span> <span class="token operator">=</span> <span class="token variable">$_GET</span> <span class="token punctuation">[</span> <span class="token string single-quoted-string">'url'</span> <span class="token punctuation">]</span> <span class="token punctuation">;</span>
    <span class="token variable">$content</span> <span class="token operator">=</span> <span class="token function">file_get_contents</span> <span class="token punctuation">(</span> <span class="token variable">$url</span> <span class="token punctuation">)</span> <span class="token punctuation">;</span>
    <span class="token keyword">echo</span> <span class="token variable">$content</span> <span class="token punctuation">;</span>
<span class="token punctuation">}</span> <span class="token keyword">else</span> <span class="token punctuation">{</span>
    <span class="token keyword">echo</span> <span class="token string double-quoted-string">"Give me the URL to show your content!"</span> <span class="token punctuation">;</span>
<span class="token punctuation">}</span>
</span>

<?php

if ( isset ( $_GET [ 'url' ] ) ) {

$url = $_GET [ 'url' ] ;

$content = file_get_contents ( $url ) ;

echo $content ;

} else {

echo "Give me the URL to show your content!" ;

}

The above code prints the web page content through the url parameter passed by the user using the file_get_contents() function. Example with url=https://google.com :

Since the site doesn’t have any SSRF protection against it, an attacker can easily access the contents of the /etc/passwd file:

Or read the content at another open port of the server – which is only accessible through the local network:

In addition, other functions such as fscokopen() , curl_exec() , … if installed carelessly, can also cause SSRF vulnerabilities, you can learn more through the documents on Google.

1.2. Python language

Consider the following Python code using the Slack library:

<span class="token keyword">from</span> flask <span class="token keyword">import</span> <span class="token operator">*</span>
<span class="token keyword">import</span> requests

app <span class="token operator">=</span> Flask <span class="token punctuation">(</span> __name__ <span class="token punctuation">)</span>

<span class="token decorator annotation punctuation">@app <span class="token punctuation">.</span> route</span> <span class="token punctuation">(</span> <span class="token string">'/ssrf'</span> <span class="token punctuation">)</span>
<span class="token keyword">def</span> <span class="token function">follow_url</span> <span class="token punctuation">(</span> <span class="token punctuation">)</span> <span class="token punctuation">:</span>
    url <span class="token operator">=</span> request <span class="token punctuation">.</span> args <span class="token punctuation">.</span> get <span class="token punctuation">(</span> <span class="token string">'url'</span> <span class="token punctuation">,</span> <span class="token string">''</span> <span class="token punctuation">)</span>
    <span class="token keyword">if</span> url <span class="token punctuation">:</span>
        <span class="token keyword">return</span> <span class="token punctuation">(</span> requests <span class="token punctuation">.</span> get <span class="token punctuation">(</span> url <span class="token punctuation">)</span> <span class="token punctuation">.</span> text <span class="token punctuation">)</span>

    <span class="token keyword">return</span> <span class="token string">"no url parameter provided"</span>

<span class="token keyword">if</span> __name__ <span class="token operator">==</span> <span class="token string">'__main__'</span> <span class="token punctuation">:</span>
    app <span class="token punctuation">.</span> run <span class="token punctuation">(</span> host <span class="token operator">=</span> <span class="token string">"0.0.0.0"</span> <span class="token punctuation">,</span> port <span class="token operator">=</span> <span class="token number">9999</span> <span class="token punctuation">)</span>

from flask import *

import requests

app = Flask ( __name__ )

@app . route ( '/ssrf' )

def follow_url ( ) :

url = request . args . get ( 'url' , '' )

if url :

return ( requests . get ( url ) . text )

return "no url parameter provided"

if __name__ == '__main__' :

app . run ( host = "0.0.0.0" , port = 9999 )

Due to the failure to implement SSRF vulnerability prevention for the url parameter passed by the user, a website can be subjected to an SSRF attack as follows:

2. Local server access SSRF vulnerability

Attackers often take advantage of SSRF vulnerabilities to access websites that are intended for accounts that have administrator privileges or can only be accessed from the local server side. From there it is possible to use the functions of these websites. Local servers are usually identified with a URL of the form: http://127.0.0.1 or http://localhost . Consider the following lab:

Basic SSRF lab analysis against the local server

Description: The stock check function of the website retrieves data from the intranet and returns it to the user. Here contains SSRF vulnerability. To solve the lab, we need to exploit the SSRF vulnerability to access the admin page with the address http://localhost/admin and delete the carlos user account.

The website contains the function to check the amount of stock left in stock:

Observe the request and response in Burp Suite when using this function:

The stockApi parameter passed by the POST method to the value system is a URL http://stock.weliketoshop.net:8080/product/stock/check?productId=1&storeId=1 . This address is only accessible from the local network.

Since the system takes stockApi as a URL, we can expect the snippet here to contain an SSRF vulnerability. Do the test: Using the Burp Collaborator , replace the stockApi value with the newly generated domain:

Send request, result at client collaborator receiving interactive request – DNS lookup successful:

Proving that the stock check function can interact with any URL, it is highly likely that it contains an SSRF vulnerability. Therefore, we can exploit the admin page access vulnerability in a number of ways as follows: