What is Server Side Request Forgery (SSRF)?
Server Side Request Forgery (SSRF) is a vulnerability that appears when an attacker has the ability to create requests from the vulnerable server.
Usually, Server Side Request Forgery (SSRF) attacks target internal systems behind the firewall that are normally inaccessible from the outside world (but using SSRF it’s possible to access these systems). With SSRF it’s also possible to access services from the same server that is listening on the loopback interface.
Using Server Side Request Forgery attacks it’s possible to:
- Scan and attack systems from the internal network that are not normally accessible
- Enumerate and attack services that are running on these hosts
- Exploit host-based authentication services
ONSec Labs maintain a very detailed document with a lot of useful information about Server Side Request Forgery (SSRF) attacks.
Depending on the vulnerable server, various attack vectors are available. For example, cURL has an extensive support of URL schemas other than HTTP/HTTPS. So, if the vulnerable server is using cURL to make HTTP requests, it’s possible to use the dict URL schema to make requests to any host on any port and send custom data.
dict://locahost:11211/stat will cause the server to connect to
localhost on port 11211 and send the string “stat”. Port 11211 is the default port used by Memcached. So, with this URL it’s possible to connect to the local Memcached server and issue various commands. Normally, Memcached is not accessible from outside. Also, Memcached doesn’t support any type of authentication and therefore the attacker can issue any type of command.
Detection of Server Side Request Forgery
Acunetix, with it’s AcuMonitor service can detect Server side Request Forgery and other Out-of-band vulnerabilities automatically.
When scanning a website, Acuentix will inject various payloads that will cause the application to send an HTTP request to AcuMonitor if the application is vulnerable. After this, the Acunetix will contact AcuMonitor and confirm if such request was made. If so, an Acuentix will issue an alert.
The alert contains some information about the HTTP request that was performed: the IP address of the server that made this request and the User-agent used in the request. This information can help the developers identify the source of the problem and fix it.