Server-Side Request Forgery (SSRF) Explained
Summary
TLDRThis video script focuses on the technical aspect of SSRF (Server-Side Request Forgery) vulnerabilities in web applications. The speaker addresses the common misconceptions about SSRF, explaining how to identify if a request is truly server-side and not just client-side. They demonstrate practical examples of exploiting SSRF, including accessing internal files and interacting with cloud provider metadata services. The script also provides tips on where to look for potential SSRF vulnerabilities, such as in web hooks, screenshot tools, and PDF generators, and emphasizes the importance of showing impact rather than just identifying a server-side request.
Takeaways
- π― The speaker is shifting content focus to showcase vulnerabilities and discuss vulnerability types, starting with Server Side Request Forgery (SSRF).
- π There's a perceived lag in technical content on the channel, prompting a call for audience feedback to tailor future content better.
- π£οΈ The speaker invites viewers to comment 'part two' if they want more content like this, aiming to gauge audience preferences.
- π SSRF is highlighted as a popular and impactful vulnerability that can be exploited to access internal systems and resources.
- π» The script clarifies the difference between client-side and server-side requests, emphasizing the importance of server-side requests in SSRF exploitation.
- π SSRF vulnerabilities can allow access to internal files, APIs, and even cloud provider metadata services, potentially leading to significant security breaches.
- π The speaker demonstrates how to identify SSRF by checking the source IP address of the request and whether it's server-side or client-side.
- π οΈ Practical examples are given, including exploiting SSRF in screenshot tools and PDF generators, and the potential for JavaScript interaction for deeper exploitation.
- π The speaker advises on areas to look for SSRF vulnerabilities, such as web hooks, screenshot tools, and PDF generators, and the value of reconnaissance in finding internal assets.
- β οΈ A cautionary note is sounded against reporting false positives or non-exploitable SSRF vulnerabilities, emphasizing the need to demonstrate clear impact.
Q & A
What is the main focus of the speaker's content creation related to bug bounties?
-The speaker's content creation is focused on helping the audience get into hacking, particularly web hacking and bug bounties, by sharing their experiences and finding the right balance between technical content and mentorship.
Why does the speaker want to change the content format?
-The speaker wants to change the content format to showcase vulnerabilities and discuss vulnerability types, as they feel the current content is lagging in technical aspects and they want to ensure it aligns with the audience's interests.
What does the speaker want from the audience by the end of the video?
-The speaker wants the audience to provide feedback on whether they are interested in the new content format by leaving a comment saying 'part two' or 'more content like this' to gauge the audience's preference.
What is SSRF and why is it significant?
-SSRF, or Server-Side Request Forgery, is a security vulnerability that allows an attacker to make the server perform requests to unintended or internal resources. It is significant because it can be used to access sensitive internal systems or data that are not exposed to the public internet.
How does the speaker differentiate between client-side and server-side requests in the context of SSRF?
-The speaker differentiates between client-side and server-side requests by checking the IP address of the requester. If the IP address is the user's own, it indicates a client-side request. If the IP address belongs to the server or another internal resource, it indicates a server-side request, which could be SSRF.
What is the first step in identifying an SSRF vulnerability according to the speaker?
-The first step in identifying an SSRF vulnerability is to check the source of the request, ensuring it is coming from a server and not the user's browser, which would indicate a client-side request.
What are some common places to look for SSRF vulnerabilities as suggested by the speaker?
-Common places to look for SSRF vulnerabilities include web hooks, screenshot tools, PDF generators, and any feature allowing user input that could be used to make server-side requests.
How can an SSRF vulnerability be exploited to access internal resources?
-An SSRF vulnerability can be exploited by making the server request internal resources such as local files, internal IP addresses, or metadata services of cloud providers, potentially leading to the extraction of sensitive data or keys.
What is the importance of showing impact when exploiting an SSRF vulnerability?
-Showing impact is crucial when exploiting an SSRF vulnerability because it demonstrates that the server has access to internal resources or can interact with them, which is necessary to prove the vulnerability's significance and potential for exploitation.
Why is it important not to report false positives or SSRFs that are not fully exploited?
-Reporting false positives or SSRFs that are not fully exploited can lead to a lack of credibility and may result in the report being marked as a duplicate or informative, which does not help in securing the system or advancing the bug bounty process.
Outlines
π’ Balancing Content Creation for Bug Bounty Enthusiasts
The speaker expresses a desire to refocus the channel's content to better balance educational material for beginners in bug bounties and web hacking with showcasing vulnerabilities. They propose to create content that discusses vulnerability types and later provide examples, seeking audience feedback through comments. The speaker emphasizes the need to address the frequent misconceptions about Server-Side Request Forgery (SSRF) and aims to clarify what constitutes a genuine SSRF vulnerability. They encourage viewers to engage and provide feedback on the preferred content direction, hinting at a potential series on the topic.
π Understanding SSRF: The Basics and Detection
The speaker delves into the concept of SSRF, explaining its significance due to its potential to access internal resources and systems through a vulnerable application. They clarify the difference between client-side and server-side requests, using examples to demonstrate how SSRF can be exploited to access internal files and services. The speaker also addresses common misunderstandings about SSRF, such as its inappropriate application to scenarios like login pages. They provide practical advice on how to identify SSRF vulnerabilities, including checking the origin of requests and using tools like 'ipinfo.io' to verify IP addresses.
π» Exploiting SSRF: Techniques and Examples
The speaker explores various ways to exploit SSRF vulnerabilities, such as accessing internal files, reading from metadata services of cloud providers, and interacting with internal assets using JavaScript. They provide a step-by-step guide on how to test for SSRF using tools like Burp Suite and demonstrate techniques to check if an application renders HTML or JavaScript server-side. The speaker also discusses the potential for SSRF in tools like PDF generators and screenshot tools, emphasizing the importance of showing impact when reporting vulnerabilities to avoid false positives.
π Advanced SSRF Strategies and Reconnaissance
The speaker concludes with advanced strategies for finding and exploiting SSRF vulnerabilities, including looking for user input that allows URL integration and checking for vulnerabilities in third-party tools. They stress the importance of reconnaissance to find internal IP addresses and domains that might be accessible through SSRF. The speaker shares a personal experience of chaining SSRF with another vulnerability to access internal resources and emphasizes the need to think creatively about attack vectors. They advise against reporting non-exploitable SSRF as vulnerabilities and encourage viewers to think critically about the potential impact of discovered SSRF issues.
Mindmap
Keywords
π‘Bug Bounties
π‘Web Hacking
π‘Server Side Request Forgery (SSRF)
π‘Technical Content
π‘Vulnerability
π‘Internal Network
π‘Mentorship
π‘Cloud Provider
π‘Metadata
π‘Reconnaissance
π‘Blind SSRF
Highlights
The channel is seeking a balance between educational content and the creator's personal bug bounty experiences.
A new content format is proposed to showcase vulnerabilities and discuss vulnerability types.
Audience feedback is requested to determine the preferred content focus, whether technical or mentorship aspects.
The video aims to clarify misconceptions about SSRF (Server-Side Request Forgery) vulnerabilities.
SSRF is highlighted as a popular vulnerability due to its high impact and potential for unauthorized access.
A demonstration of how to distinguish between client-side and server-side requests to identify SSRF.
Explanation of how SSRF can be used to access internal networks and resources not directly available to the user.
A walkthrough on how to identify SSRF vulnerabilities by examining the source of network requests.
The importance of confirming server-side requests when testing for SSRF vulnerabilities.
Practical examples of exploiting SSRF to read internal files and access metadata services.
A demonstration of using SSRF to access a server's metadata IP and extract sensitive information.
Discussion on the potential of SSRF to interact with internal assets and modify data or export information.
Tips for finding SSRF vulnerabilities in web hooks, screenshot tools, and PDF generators.
Advice on not limiting SSRF testing to metadata key access, but also considering local file access and internal host interaction.
A real-world example of chaining SSRF with another vulnerability to hack into a major retailer's system.
Emphasis on the need to demonstrate impact and not report false positives when identifying SSRF vulnerabilities.
The video concludes with a call to action for viewers to engage with the content and provide feedback on the new format.
Transcripts
so I have been making a lot of content
around bug bounties and just getting
into bug bounties and web hacking in
general and I've realized that the
channel is starting to lag a little bit
of technical content and not because I
don't want to make that kind of content
but it's just I'm trying to find the the
right balance between
creating content that is just helping
you all get into hacking and doing the
things you want to do in your life with
web hacking or bug bounties
while sharing my experience so I want to
try something new I want to start
creating content that is just showcasing
vulnerabilities or talk about
vulnerability types and then later tell
you the vulnerabies that have found or
examples of it
but I need to hear from you and I need
you to let me know if this is the kind
of content that you're interested in or
do you just want to hear me go on a
camera and ramble about the things that
I've enjoyed with bug bounties and the
things that I think you should do so by
the end of this video If you like this
kind of content I need you to let me
know drop me a comment and say part two
more content like this whatever you want
to call it so this way I can kind of
gauge the audience and understand what
kind of content you like the most is it
the bug Bounty and web hacking and the
the mentorship aspects of it is that the
technical aspect is it both I really
want to hear from you okay enough about
that let's talk about ssrf ssrf or
server side request forgery is a very
popular vulnerability because it's very
impactful and it could give you access
to the right things if you export it
properly and the reason why I want to
start making a video about ssrf is I'm
honestly tired of all the DMS that I get
from you guys asking me if everyone
really that you have found is actually
ssrf when in reality it's nothing there
there's no sort of and the request isn't
even being made from the server and it's
being made from the client side so I
kind of want to address all of those and
on top of it all I see a lot of people
just randomly say check for ssrf in
areas that ssrf doesn't even make sense
so for example I saw somebody posting a
login page and asking hey what would you
do in this case and
the replies were kind of scary because a
lot of people were saying stuff like
ssrf which didn't make sense you know
with a login page I can't see a reason
why that website would be vulnerable
that login page would be vulnerable to
an accessories and hopefully this video
helps you understand that as well so
let's jump into it before we do that we
need to talk about what is ssrf well the
application that you see on your screen
or on your browser with your computer
has access to different applications
micro apps apis or back-end systems that
you do not have the access to interact
with directly so in other words you tell
the website I want this information the
website or that web server looks at
where that information is coming from
whether it's another API that it's
internal only and within their internal
Network fetches that information and
gives it to you in some other cases that
application maybe have to communicate
with the company's continuous
integration and development of tools
that they videos like maybe they're
Jenkins their GitHub their git lab even
though you don't have direct access to
that the application itself is
connecting to that other application
pulling whatever it needs from it and
coming back so those things are usually
gated within an internal Network where
you have to be in the application itself
or you have to VPN into that Network in
in order to be able to access those so
that's what an ssrf becomes very
important and very cool because if the
application sits in the middle of those
other apps or there's other micro apps
or internal assets you can direct that
application or the vulnerability with
ssrf to fetch data and be able to
interact with them so with that said we
have to first understand how to identify
an ssrf well for ssrf itself it's kind
of easy you have to take a look at your
request so let's jump in actually I'm
going to show you on the screen really
quickly how that looks so let's say that
you have this website right here and
it's asking you to enter URL and it's
gonna iframe it in this case the iPhone
kinda is obvious that it's not going to
do the server side but I want to show
you the difference between the two so
what we're going to do here is we're
gonna enter our
website collaborate IP address in there
let's get this right here and we're
going to send the request
and the thing that's going to happen
here is it's going to make that request
for us one more time
and it's going to show the contents of
that in there and when we pull this
it's going to come back and show us a
bunch of IP addresses I've made a
request to this and at the bottom right
the IP address that you see here on the
screen is my IP address and not the IP
address from the server itself so that
means that the request isn't being made
server aside and instead it's using our
browser to make that request and I think
a lot of times people get confused with
an ssrf because they don't distinguish
this very exact thing where it tells
them hey your actual computer and
browser made that request so of course
you're not going to be able to access
the internal resources and the internal
Network that's behind that application
so let's say you were looking at another
ssrf I'm going to open up this one and
of course if you're watching this and
you want to play along with these Labs
these are from my Homestead course it's
my bug Bounty course that I have on
udemy the labs right here are on my
GitHub page I'll link them down below
both the course and this lab they'll be
on the description the lab itself is
free you can install it it's a Docker
page but let's take a look at it if we
make the same request from this server
I'm going to clear our top really
quickly and then if I do a pull again
you're going to see that the request
comes back but this time the IP address
is the IP address that it's not belonged
to me and it's an IP address that
belongs to that server and you can
obviously check all of those by just
doing an IP info so you can go to
ipinfo.io and you can take this
information you can type it in and check
where the IP address is so if you're not
sure
where this IP address is coming from you
can see that it belongs to digital ocean
where the server is hosted so if you're
hacking on a company that's hosted on
Amazon AWS that org is going to be
Amazon AWS which indicates that this is
a cloud environment that you could hack
into so that is the first and most
important thing to look at when you are
trying to find ssrf is first seeing hey
where is that request coming from is it
coming from another server or is it just
my browser making that request because
if it's coming from your browser then
you're not able to
access that data the next thing we're
going to take a look at is just a sample
ssrf a lot of times an ssrf could give
you access to a number of different
things the first one is you can actually
read internal files sometimes it is this
easy all you have to do is give it the
file protocol and then you're going to
give it a path to a file that exists so
if it's a Linux machine you can give it
Etc password and it gives you the
content or you can just give it a local
host and see if there's anything on that
localhost and if it comes back it means
that you have access to the localhost or
maybe any other IP addresses that could
be internal for example
if that API just exists if you've done
some Recon maybe you have found an
internal domain maybe that's a corporate
domain you can type it in here
corp.target.com let's say it's maybe
GitHub so if that domain exists it's
going to come back and say yep I can
access it and here is the data for it a
lot of times what you see hackers do in
this case they use a cloud service
provider's metadata IP to get
information about that server and in
some cases if that metadata IP is
accessible you can actually pull keys
for that instance in that machine
especially with Amazon AWS and that IP
address is usually something like 169
254 169254 you may not have to put https
there
and we can do metadata in this case I am
using digital ocean so it might be a
little bit harder to get this but we're
going to eventually find it and you can
see if I put V1 it's showing me all
these different names and if you have
access so for example if you are on AWS
and you have access to the metadata Keys
it's going to have some I am roll here
or security folder or something like
that that is going to uh if you query
for it eventually it's going to give you
the API key that you can use to log into
that instance or pull data from that
instance using AWS CLI we're not going
to cover that I think that's something
that you can learn on your own there are
a ton of disclosed reports that talk
about this with bug bounties that you
can take a look at at how hackers have
pulled Keys I've done a whole talk on
this on how to own the cloud using PDF
generators and ssrfs go check it out but
I just want to cover the basics of ssrf
so hopefully you guys don't think you
have an ssrf when the request is being
made a server side but what if it's not
that straightforward what if you are
looking at a PDF generator what if it's
a screenshot tool or what if your
application isn't just showing you the
files and folders that you want or the
instance that you wanted to the other
option you have is for this example
we're going to take a look at a
screenshot tool what you can do is you
can actually
point this domain so one the first thing
is always to do is make sure the request
is being made server side I'm going to
do that really quickly
it's going to say hey here's our
screenshot I'm going to go back to burp
I'm going to do pull now
and you can see the request is coming
back again from that IP address and what
we're going to do is we're going to
actually point this to a website that we
own so I've made this already so what
we're going to do is we're going to
actually see if this website is going to
render HTML and JavaScript server side
so the first thing we know already is
the request is being made server side we
can't really see any data for example
maybe they don't let you see local files
or something like that and you want to
hit them out of data and what you can do
is you can create your own
file so for example it could be an HTML
file it could be PHP does that matter in
this case I'm going to do PHP and I'm
going to say hey I want you to just
create an iframe
just for me to test out and see does
this thing actually render HTML in most
cases it does especially since it's
being made server side but we have to
check these one by one so we're going to
go back to burp Suite we're going to put
our
and stands for collaborator in here
and we're gonna see if it's going to
load that
server side
and how it's going to behave that's
always the first step that I use I use
HTML then I look at JavaScript as well
so let's see if this is going to work
it's going to do that and of course it
did it hit our instance with
collaborator and we can check that again
by going to pull and we can see more
requests have been made uh we are down
here now and of course the next thing
you want to do is you want to check and
see if you're able to do anything with
JavaScript and this is where things get
more fun because once you have
JavaScript then you can control the
behavior of this thing entirely and see
what other uh assets you have access to
if you do have access to an internal
asset for example you can maybe send a
post request and be able to modify data
or maybe export something internally
whatever that is or fetch other data so
we're going to send that in and I'll
talk about what I just said in a little
bit but I want to see if this is going
to work
and we can see that it says not found
which is a great sign because usually
that's what the digital ocean metadata
instance says as soon as you hit it so
we're going to hit this one more time
and make our adjustment now that we know
it works we're going to go back and we
are going to make this request one more
time and as you can see now we have
access to metadata on or metadata IP
instance on digital ocean and we can
pull some information and kind of show
impact that hey this does have access to
some internal resources so that is
pretty much the basics of ssrf and I
think it's really important to
understand these basic things before you
try and exploit them but before we wrap
up the video I want to give you some
other ideas of things you can do some
examples of it and some areas you can
look for ssrf number one any place that
you can see a user who could put in a
URL where it gives you the ability to
integrate your own stuff for example if
there's web hooks integration with
third-party tools those are usually good
place to look at ssrf any screenshot
tool anytime that you go to a website
maybe they let you design your own code
you're doing HTML code and takes a
screenshot of it and shows you the
output that is a great place to try and
also the PDF generators are huge you can
also look for them there those are the
very common places to look for ssrf but
also keep in mind that everybody is
going to be on this cloud provider like
AWS digital Ocean or Google sometimes
these companies may have an in-house
thing so if you don't have access to
those IP addresses go do some
reconnaissance find those internal IP
addresses or find internal domains and
see if you can query for them for
example I was able to hack in one of the
largest retailers in the world by doing
exactly in ssrf I was able to hack a
third party tool that they were using it
was self-hosted it was out of date it
was one of those tools that every
company uses but because it was out of
date it had an ssrf vulnerability on it
where I could make a request to
localhost but I couldn't pull out any
keys so what I ended up doing was do
some reconnaissance and I found other
use another tool secondary tool by
finding domain for it so let's say if
they were using a GitHub for example
they had a phone that I believe that I
knew that didn't require authorization I
chained the two together to prove more
impact by pulling data so don't always
limit yourself to having a ssrf that
needs access to the metadata key try
things like reading local files in the
first example I pulled up the ETC
password file and the second example
that I just gave you earlier I changed
it with another vulnerability and I saw
if I could access internal hosts so
always always think of different attack
vectors and attack scenarios where
you're not just giving up and then last
but not least not every ssrf or not
every server-side request is vulnerable
so if you put in your collaborator and
you look at it and you see that the IP
address that is making the request is
not you and it's a remote Server doesn't
necessarily mean that it's vulnerable so
you have to really try and show impact
can you access any internal resources
can you distinguish wish if this thing
has access to an IP address that's
internal can you access these things can
you send data can you read data or if
you can't read data it could be blind
you can't see the data from it but can
you interact with it with JavaScript and
that sort of things so keep that all in
mind when we're looking for a ssrf you
don't want to report a false positive to
these companies or an SSR if that's not
being fully exploited and then just get
an n a a duplicate or an informative all
right that's it I think that was a good
explanation of ssrf I really hope this
helps you guys understand what ssrf is
how to look for a Persona even more and
hopefully I see less and less people on
Twitter saying Hey try ssrf in places
that it doesn't make sense and hopefully
I get less themes of you sending me uh
quote-unquote ssrfs that are not really
vulnerable and it's just being made
client-side all right that's it I will
see you all in the next video peace
thank you
Browse More Related Video
5.0 / 5 (0 votes)