SSRF (Server-side request forgery)

Server-side request forgery (SSRF) is a web security vulnerability that allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain of the attacker's choosing

Vulnerability Name: Server-side request forgery (SSRF) on [Domain name]

Vulnerability Description: Server Side Request Forgery (SSRF) vulnerabilities let an attacker send crafted requests from the back-end server of a vulnerable web application. Criminals usually use SSRF attacks to target internal systems that are behind firewalls and are not accessible from the external network.

[Don't forget to add your vulnerability description, the one given above is general description]

Payload: [SSRF payload]

Steps to Reproduce: [Create your own according to the workflow of website]

Proof-of-concept: Snapshots or video link attached

Impact: It is common to have a proper firewall/routing rules for external applications, but normally nothing inside the network. That means that an attacker is able to make a device already on the network send the requests, there are no security restrictions to care about for internal systems. Moreover this could lead to

  1. It is possible to scan ports and IP addresses.

  2. Interact with some protocols such as Gopher, which allow you to make further discoveries.

  3. Discover the IP addresses of servers running behind a reverse proxy.

  4. Remote code execution.

Attack Scenario: [Create your own according to the workflow of website]

Remediation:

  1. A blacklist is not a good protection because with so many different protocols, schemes, encodings and super complex URI syntax, bypasses will most certainly occur. Because of this, a whitelist is a better approach.

  2. Disable unused URL schemas.

  3. Authentication on internal services.

‚Äč