Server-Side Request Forgery

Question 1

Explain what is SSRF.

Answer 1

It’s a vulnerability that happens when an application retrieves remote resources without validating user input. An attacker could supply his own input as a URL and then control the resources that are retrieved by the server.

Question 2

What are the possible impacts of a SSRF attack?

Answer 2

An attacker could supply an URL that exposes sensitive data, scan the target’s internal network or even perform RCE.

Question 3

What is an In-Band SSRF attack?

Answer 3

SSRF type where the server responds with the resource specified by the end-user.

Question 4

What is a Blind SSRF attack?

Answer 4

A SSRF type where there is no sign or indication that the server is vulnerable. The response is not unusual and the attacker would need to provide an URL for a server that he controls in order to confirm if any requests were made.

Question 5

What request characteristic(s) should you look for when searching for SSRF?

Answer 5

Look for requests that have any of the following:
- Include full or partial URL in the POST body or parameters;
- Headers that include URLs like the Referer;
- Allow for user input that could lead in a server retrieving remote resources.

Question 6

Which of the following would be useful for a payload when testing for SSRF?
(Select all that apply)
1. http://localhost
2. https://ifconfig.pro
3. http://
4. ifconfig
5. ‘ OR 1=1
6. http://127.0.0.1

Answer 6

1, 2 and 6

Question 7

Which type of URL can be used to access files while performing an SSRF attack?

Answer 7

file:// URLs