SSRF

Question 1

What is SSRF?

Answer 1

SSRF stands for Server-Side Request Forgery, this allows a malicious user to cause a web server to make another edited HTTP request to the resource of the attackers choice.

Question 2

What’re the two types of SSRF and what do they do?

Answer 2

Regular SSRF: Returns data to the attackers screen

and

Blind SSRF: The SSRF will occur, but no data will be returned to the screen of the attacker afterwards

Question 3

What are some examples of SSRF?

Question 4

What are some examples of SSRF?

Answer 4

Expected Request, Path Traversal, and Subdomain Manipulation

Question 5

How do you find SSRF vulnerabilities?

Answer 5

You will most of the time have to look for specific parameters that are known to have potential SSRF vulnerabilities; examples include: dest, path, url, domain, html, etc.

Question 6

What are the common SSRF defenses that developers use?

Answer 6

There are two primary tools that a developer will use to try and prevent SSRF vulnerabilities: Deny Lists and Allow Lists.

Question 7

What are Deny Lists?

Answer 7

These lists accept all request except request specified in a list with specific patterns and rules.

Question 8

What are Allow Lists?

Answer 8

These lists deny all request except request specified in a list with specific patterns and rules.

Question 9

Whats Open Redirect?

Answer 9

This is an endpoint thats used to automatically take a web visitor to another web address.

Question 10

How do you overcome Deny Lists/Allow Lists?

Answer 10

You’ll have to essentially spoof the local host IP address or 127.0.0.1, the other way is for the attacker to actually create a subdomain on their own domain.