What is Server Side Request Forgery (SSRF)?
Server Side Request Forgery (SSRF) is a vulnerability that appears when an attacker has the ability to create requests from the vulnerable server.
Usually, Server Side Request Forgery (SSRF) attacks target internal systems behind the firewall that are normally inaccessible from the outside world (but using SSRF it’s possible to access these systems). With SSRF it’s also possible to access services from the same server that is listening on the loopback interface.
Using Server Side Request Forgery attacks it’s possible to:
- Scan and attack systems from the internal network that are not normally accessible
- Enumerate and attack services that are running on these hosts
- Exploit host-based authentication services
The guys from ONSec Labs maintain a very detailed document with a lot of useful information about Server Side Request Forgery (SSRF) attacks.
Depending on the vulnerable server, various attack vectors are available. For example, cURL has an extensive support of URL schemas other than HTTP/HTTPS. So, if the vulnerable server is using cURL to make HTTP requests, it’s possible to use the dict URL schema to make requests to any host on any port and send custom data.
The URL dict://locahost:11211/stat will cause the server to connect to localhost on port 11211 and send the string “stat”. Port 11211 is the default port used by Memcached. So, with this URL it’s possible to connect to the local Memcached server and issue various commands. Normally, Memcached is not accessible from outside. Also, Memcached doesn’t support any type of authentication and therefore the attacker can issue any type of command.
Detection of Server Side Request Forgery
Acunetix WVS version 9 with AcuMonitor service can detect such vulnerabilities in an automated way.
When scanning a website, the scanner will inject various payloads that (if the server is vulnerable) will issue an HTTP request to the AcuMonitor server. After this, the scanner will contact AcuMonitor and confirm if such request was made. If so, an alert is issued.
The alert contains some information about the HTTP request that was performed: the IP address of the server that made this request and the User-agent used in the request. This information can help the developers identify the source of the problem and fix it.