What is SSRF? (Portswigger – Lab: Basic SSRF against the local server)

Hello Cyberman!

This article subject SSRF attacks. This series of articles will be with Portswigger solutions.

Firstly What Is SSRF?

 The SSRF (Server Side Request Forgery) is every time could be seen. SSRF allows an attacker to modify a parameter in the web application so that it can generate requests from or control requests from this vulnerable server.

 

With this vulnerability, the attacker can access other information belonging to the system. And can make edits on the resource.

This attack vector base: Wrong code, wrong build system, insufficient filtering of request, wrong package request list and with more be done. 

In Which Systems? 

Generally, this vulnerability is seen in data retrieval processes from two different systems.

 

What Can Be Done With This Vulnerability?

If the attacker changes the URL parameter to localhost, they can view local resources on the server and create a Server Side Request Forgery vulnerability on the server.

– A firewall can bypass and access the source system.
– Can bypass IP check.
– Can bypass authentication systems.
– It can scan the local network connected to the server.
– It can provide API control and modify data.
– Can read the files on the server.
– It can exchange resources on the server. And it can make the main service look like its own system.
– Can bypass security like CloudFlare. And it can learn the real IP address of the system.

A Example Attack

For a live example, you can try Portswigger’s laboratories. https://portswigger.net/web-security/ssrf/lab-basic-ssrf-against-localhost

First, create account this site. Don’t forget, Portswigger is a good tutorial and news source. And it has great cyber tools. For example, Burp Suite!

For download: https://portswigger.net/burp

 Yes, let’s click on “Access the lab” when we enter the site. And let’s get into the lab.

And we come across a shopping site. Let’s do be a product review.

There is a button for check stock. If user push that button,  user learning what many product in other locations. 

For example: 292 product has from to Milan. Now, we could think different. We what see how many product in Milano City and how it seen? We need Burp Suite for learn.

Ok, let’s open Burp Suite then again and send request for site with push button

First, if you don’t know Burp Suite use look at: https://portswigger.net/burp/documentation/desktop/penetration-testing

With Burp Suite open, let’s press the “Check Stock” button again.

Burp Suite output is as seen in the picture above. As seen there is a parameters. This parameters is “stockApi”. Okay,  so first this Raw send to “Repeater” in Burp Suite.

As seen picture above. Now, give to different value for parameters: “http://localhost/admin”

The “repeater” is very useful to see quick results.

 
 
As seen in the picture above. In the “Response” field, we see the response of the “admin” page of the system. Okay, now this “Request” send forward.

Will send post like as seen above picture. 

 If we send package post, output as seen above picture in web site. Now, we delete user Carlos. Pust “Delete” then look at the Burp Suite.

 As seen above picture, get method for user delete. Now, we try again push button “Check Stock” and then add get method output for delete user carlos.

Be do post method as seen above picture. And add value for parameter: “http://localhost/admin/delete?username=carlos”

Now, send post method. Then finally, deleted user “Carlos”. As seen below picture, output. This solved.

 

“Congratulations, you’ve solved the lab,” says Portswigger. I hope it was understandable.

 Also not forgetting a list of useful resources:

Also, you might be wondering, here is the list of tools for this attack method:

 

Have a nice day with lots of informatics 🙂 

2 Comments

  1. I must thank you for the efforts you’ve put in writing this website.

    I really hope to view the same high-grade content by you in the future as well.

    In truth, your creative writing abilities has motivated me to get my own blog now 😉

Leave a Reply

Your email address will not be published. Required fields are marked *