Skip to main content

SSRF Notes


SSRF Notes

NOTE :  Wanted to have everything at one place,  these are my reference notes from various bug bounty write ups & security research, I thank all the authors of the write ups mentioned below [will update if i find anything interesting]



Description


In an SSRF attack against the server itself, the attacker induces the  application to make an HTTP request back to the server that is hosting  the application, via its loopback network interface. This will typically  involve supplying a URL with a hostname like 127.0.0.1 (a reserved IP address that points to the loopback adapter) or localhost (a commonly used name for the same adapter).         

Many server-side request forgery vulnerabilities are relatively easy to  spot, because the application's normal traffic involves request  parameters containing full URLs

Blind SSRF


Blind SSRF vulnerabilities arise when an application can be induced to  issue a back-end HTTP request to a supplied URL, but the response from  the back-end request is not returned in the application's front-end  response.         


IP Filter bypass [IP to Integer]: 


http://www.aboutmyip.com/AboutMyXApp/IP2Integer.jsp

Private IP Space


https://tools.ietf.org/html/rfc1918

Practice


Web Security Academy : https://portswigger.net/web-security/ssrf

Breaches


Capital One Breach : https://ejj.io/blog/capital-one


Payloads


Aws/google Meta data : https://gist.github.com/BuffaloWill/fa96693af67e3a3dd3fb


SSRF Write Ups


SSRF JavaScript : http://10degres.net/aws-takeover-ssrf-javascript/

SSRF to AWS Creds : https://medium.com/bugbountywriteup/from-ssrf-to-aws-credentials-disclosure-64c51e1bf5dc

SSRF Redirection : https://medium.com/@logicbomb_1/the-unusual-case-of-open-redirection-to-aws-security-credentials-compromise-59acc312f02b

SSRF to read AWS metadata : https://medium.com/@pratiky054/ssrf-to-read-local-files-and-abusing-the-aws-metadata-8621a4bf382

NahamSec PDF Generators : https://docs.google.com/presentation/d/1JdIjHHPsFSgLbaJcHmMkE904jmwPM4xdhEuwhy2ebvo/edit

Vimeo SSRF : https://medium.com/@rootxharsh_90844/vimeo-ssrf-with-code-execution-potential-68c774ba7c1e

Chaining third party open redirects : https://buer.haus/2017/03/09/airbnb-chaining-third-party-open-redirect-into-server-side-request-forgery-ssrf-via-liveperson-chat/

Google cloud SSRF : https://hackerone.com/reports/341876

Detectify SSRF : https://blog.detectify.com/2019/01/10/what-is-server-side-request-forgery-ssrf/

DOD : https://medium.com/bugbountywriteup/piercing-the-veil-server-side-request-forgery-to-niprnet-access-c358fd5e249a

SSRF to read local files : https://medium.com/@zain.sabahat/exploiting-ssrf-like-a-boss-c090dc63d326

Nifty SSRF bug : https://hack-ed.net/2017/11/07/a-nifty-ssrf-bug-bounty-write-up/

Ways to find SSRF :
 https://medium.com/@madrobot/ssrf-server-side-request-forgery-types-and-ways-to-exploit-it-part-1-29d034c27978
 https://medium.com/@madrobot/ssrf-server-side-request-forgery-types-and-ways-to-exploit-it-part-2-a085ec4332c0
 https://medium.com/@madrobot/ssrf-server-side-request-forgery-types-and-ways-to-exploit-it-part-3-b0f5997e3739

SSRF Port Scanner : https://blog.cobalt.io/from-ssrf-to-port-scanner-3e8ef5921fbf


All write-ups : https://github.com/jdonsec/AllThingsSSRFhttps://github.com/jdonsec/AllThingsSSRF

CapitalOne Breach Preview : https://application.security/ - Awesome

http://ghostlulz.com/ssrf-aws-credentials/


Prevention


There is no universal protection against SSRF attacks, however there are a few things to have in mind:

  • A blacklist is not a good protection because with so many different protocols, schemes, encodings and super complex URI syntax, bypasses will most certainly occur. Because of this, a whitelist is a better approach.
  • When developing REST API’s, it is better to accept other HTTP verbs than POST and GET which will make it harder for a SSRF vulnerability to make correct requests to the API service. If a SSRF vulnerability is only able to make internal GET requests it won’t be able to speak with the API. It is also important to validate both the request and response to internal services.
  • Services such as Kibana, Redis, Elasticsearch, MongoDB and Memcached do not per default require authentication, and adding that to those services may make it harder to exploit a SSRF vulnerability.  

Testing Methodlogies 


When testing for SSRF using a black list, take internal IP addresses and when encoding them, dont encode entire IP. Encode 1 octet of the IP address, or 2 or 3. For Instance: AWS Metadata - 0251.254.169.254 

Found an API endpoint used for uploading, change the upload file param to URL and test for SSRF. Many times it can lead you to full blown SSRF.

Got an SSRF? But app prevents trying to connect to localhost https://bbt.com/redirect.php? DNS Pinning for the win, create, set subdomain, point it to 127.0.0.1>use remote red>
<?php
header("Location: https://localhost.bbt.com");
die();
?>


https://twitter.com/akhilreni_hs/status/1179833758041526272

 If you have an SSRF with file system access on an ECS instance then try extracting /proc/self/environ to get UUID and then try hitting ECS metadata 
curl http://169.254.170.2/v2/credentials/<UUID>
This way you'll extract IAM keys of the attached role

https://twitter.com/z0idsec/status/1202362576190894081

SSRF advice: 

- Test every parameter and input fetching external resources
- Once it hit's your server plan your attack
- Blind SSRF Try XSPA
- SSRF Try fetching the secret access keys


Sometimes you got to keep it simple in #bugbounty. Just got an #SSRF, steps (credits below):

1 Run getallurls for all assets & merge results
2 `cat results | grep "url="| anti-burl | tee ssrf.txt`
3 Review & cleanup list 
4 Fuzz all "url-like" params w/ Burp collab & #ffuf


Comments

Post a Comment

Popular posts from this blog

WordPress Common Issue Notes

  WordPress: /wp-content/plugins/sfwd-lms/wpml-config.xml /wp-content/plugins/omni-secure-files/plupload/examples/upload.php /wp-content/plugins/contus-hd-flv-player/uploadVideo.php wp-json/th/v1/user_generation /wp-admin/admin-ajax.php?do_reset_wordpress=1 Wordpress xmlrpc.php -common vulnerabilites & how to exploit them https://medium.com/@the.bilal.rizwan/wordpress-xmlrpc-php-common-vulnerabilites-how-to-exploit-them-d8d3c8600b32
Post a Comment
Read more

Electron JS Security Checklist

Electron Js Security Checklist Disable nodeIntegration for untrusted origins/Do-not Enable Node-Integration Risk  If enabled, nodeIntegration allows JavaScript to leverage Node.js primitives and modules. This could lead to full remote system compromise if you are rendering untrusted content. Auditing nodeIntegration and nodeIntegrationInWorker are boolean options that can be used to determine whether node integration is enabled.  Auditing For BrowserWindow, default is true. If the option is not present, or is set to true/1, nodeIntegration is enabled as in the following examples:  mainWindow = new BrowserWindow({ "webPreferences": { "nodeIntegration": true, “nodeIntegrationInWorker": 1 } });  Or simply:  mainWindow = new BrowserWindow() For webview tag, default is false.  When this attribute is present, the guest page in webview will have node integration: When sanbox is enabled (see below), nodeintegration is disabled. Please note ...
Post a Comment
Read more