3

I am looking to gain a better understanding of the SSRF vulnerability. I have googled and watched YouTube tutorials but they all show advanced techniques that are difficult to understand.

I am curious as to how to connect to a website with my localhost server, and once connected, how I can then read directories of that website from my localhost.

If I use Windows 7 can I test the SSRF vulnerability?

Sjoerd
  • 28,707
  • 12
  • 74
  • 102
Rifat Shommo
  • 51
  • 1
  • 1
  • 4

2 Answers2

2

Server side request forgery is a vulnerability where a server connects to an arbitrary host supplied by the attacker.

When testing it is useful to have a host available on the internet where the server can connect to. This will typically not work with your home or work PC, because it is behind a firewall or behind NAT. If the server connects to your IP address, your router will block the connection. Ideally you would have a server with a public IP address, such as a VPS with a hosting provider. Alternatively, you could configure port forwarding in your router.

An alternative is to use a third party service. For example, the Burp Collaborator is a server that will notify you of any interactions with it.

Note that it is not necessarily a vulnerability if a remote server connects to your server. The vulnerability comes if the server exposes information from the local network it is in. Then you can exploit the "server side" of SSRF to navigate the network that you can't normally reach.

Sjoerd
  • 28,707
  • 12
  • 74
  • 102
  • If i host a site by apache can I test SSRF? – Rifat Shommo Aug 01 '18 at 09:16
  • @RifatShommo Yes, as long as the machine you're testing (the "victim") can ping it. You'll also need to set up that site to log every connection that is made to it, otherwise you'll have no way to tell if a SSRF happened or not. – Mike Ounsworth Aug 01 '18 at 12:58
0

Let's suppose we have a server reachable from internet that is hosting a webapp (server-a).

This webapp uses an xml parser that parses some xml sent by the user's browser. Let's assume the xml parser is vulnerable to XXE vulnerability.

Server-a is also part of a local network where it is present a private server (private-server-b), which is hosting a private service (secret-service-b), meant to be accessed only from the users in the local network and not from outside.

If the attacker send this xml to the webapp, the parser will follow the instructions in it contained and it will try to access http://private-server-b/secret-service-b?ssrf

<?xml version="1.0" encoding="utf-8"?> 
<!DOCTYPE roottag PUBLIC "-//VSR//PENTEST//EN" "http://private-server-b/secret-service-b?ssrf">
<roottag>ssrf attack!</roottag>

The result is that an attacker can perform requests from a server side point of view. Se also this good document

nicolimo86
  • 101
  • 2