Server-Side Request Forgery (SSRF) Explained

NahamSec
10 Apr 202315:57

Summary

TLDRThis video script focuses on the technical aspect of SSRF (Server-Side Request Forgery) vulnerabilities in web applications. The speaker addresses the common misconceptions about SSRF, explaining how to identify if a request is truly server-side and not just client-side. They demonstrate practical examples of exploiting SSRF, including accessing internal files and interacting with cloud provider metadata services. The script also provides tips on where to look for potential SSRF vulnerabilities, such as in web hooks, screenshot tools, and PDF generators, and emphasizes the importance of showing impact rather than just identifying a server-side request.

Takeaways

  • 🎯 The speaker is shifting content focus to showcase vulnerabilities and discuss vulnerability types, starting with Server Side Request Forgery (SSRF).
  • πŸ“‰ There's a perceived lag in technical content on the channel, prompting a call for audience feedback to tailor future content better.
  • πŸ—£οΈ The speaker invites viewers to comment 'part two' if they want more content like this, aiming to gauge audience preferences.
  • πŸ” SSRF is highlighted as a popular and impactful vulnerability that can be exploited to access internal systems and resources.
  • πŸ’» The script clarifies the difference between client-side and server-side requests, emphasizing the importance of server-side requests in SSRF exploitation.
  • 🌐 SSRF vulnerabilities can allow access to internal files, APIs, and even cloud provider metadata services, potentially leading to significant security breaches.
  • πŸ”‘ The speaker demonstrates how to identify SSRF by checking the source IP address of the request and whether it's server-side or client-side.
  • πŸ› οΈ Practical examples are given, including exploiting SSRF in screenshot tools and PDF generators, and the potential for JavaScript interaction for deeper exploitation.
  • πŸ”Ž The speaker advises on areas to look for SSRF vulnerabilities, such as web hooks, screenshot tools, and PDF generators, and the value of reconnaissance in finding internal assets.
  • ⚠️ A cautionary note is sounded against reporting false positives or non-exploitable SSRF vulnerabilities, emphasizing the need to demonstrate clear impact.

Q & A

  • What is the main focus of the speaker's content creation related to bug bounties?

    -The speaker's content creation is focused on helping the audience get into hacking, particularly web hacking and bug bounties, by sharing their experiences and finding the right balance between technical content and mentorship.

  • Why does the speaker want to change the content format?

    -The speaker wants to change the content format to showcase vulnerabilities and discuss vulnerability types, as they feel the current content is lagging in technical aspects and they want to ensure it aligns with the audience's interests.

  • What does the speaker want from the audience by the end of the video?

    -The speaker wants the audience to provide feedback on whether they are interested in the new content format by leaving a comment saying 'part two' or 'more content like this' to gauge the audience's preference.

  • What is SSRF and why is it significant?

    -SSRF, or Server-Side Request Forgery, is a security vulnerability that allows an attacker to make the server perform requests to unintended or internal resources. It is significant because it can be used to access sensitive internal systems or data that are not exposed to the public internet.

  • How does the speaker differentiate between client-side and server-side requests in the context of SSRF?

    -The speaker differentiates between client-side and server-side requests by checking the IP address of the requester. If the IP address is the user's own, it indicates a client-side request. If the IP address belongs to the server or another internal resource, it indicates a server-side request, which could be SSRF.

  • What is the first step in identifying an SSRF vulnerability according to the speaker?

    -The first step in identifying an SSRF vulnerability is to check the source of the request, ensuring it is coming from a server and not the user's browser, which would indicate a client-side request.

  • What are some common places to look for SSRF vulnerabilities as suggested by the speaker?

    -Common places to look for SSRF vulnerabilities include web hooks, screenshot tools, PDF generators, and any feature allowing user input that could be used to make server-side requests.

  • How can an SSRF vulnerability be exploited to access internal resources?

    -An SSRF vulnerability can be exploited by making the server request internal resources such as local files, internal IP addresses, or metadata services of cloud providers, potentially leading to the extraction of sensitive data or keys.

  • What is the importance of showing impact when exploiting an SSRF vulnerability?

    -Showing impact is crucial when exploiting an SSRF vulnerability because it demonstrates that the server has access to internal resources or can interact with them, which is necessary to prove the vulnerability's significance and potential for exploitation.

  • Why is it important not to report false positives or SSRFs that are not fully exploited?

    -Reporting false positives or SSRFs that are not fully exploited can lead to a lack of credibility and may result in the report being marked as a duplicate or informative, which does not help in securing the system or advancing the bug bounty process.

Outlines

00:00

πŸ“’ Balancing Content Creation for Bug Bounty Enthusiasts

The speaker expresses a desire to refocus the channel's content to better balance educational material for beginners in bug bounties and web hacking with showcasing vulnerabilities. They propose to create content that discusses vulnerability types and later provide examples, seeking audience feedback through comments. The speaker emphasizes the need to address the frequent misconceptions about Server-Side Request Forgery (SSRF) and aims to clarify what constitutes a genuine SSRF vulnerability. They encourage viewers to engage and provide feedback on the preferred content direction, hinting at a potential series on the topic.

05:02

πŸ” Understanding SSRF: The Basics and Detection

The speaker delves into the concept of SSRF, explaining its significance due to its potential to access internal resources and systems through a vulnerable application. They clarify the difference between client-side and server-side requests, using examples to demonstrate how SSRF can be exploited to access internal files and services. The speaker also addresses common misunderstandings about SSRF, such as its inappropriate application to scenarios like login pages. They provide practical advice on how to identify SSRF vulnerabilities, including checking the origin of requests and using tools like 'ipinfo.io' to verify IP addresses.

10:02

πŸ’» Exploiting SSRF: Techniques and Examples

The speaker explores various ways to exploit SSRF vulnerabilities, such as accessing internal files, reading from metadata services of cloud providers, and interacting with internal assets using JavaScript. They provide a step-by-step guide on how to test for SSRF using tools like Burp Suite and demonstrate techniques to check if an application renders HTML or JavaScript server-side. The speaker also discusses the potential for SSRF in tools like PDF generators and screenshot tools, emphasizing the importance of showing impact when reporting vulnerabilities to avoid false positives.

15:03

πŸš€ Advanced SSRF Strategies and Reconnaissance

The speaker concludes with advanced strategies for finding and exploiting SSRF vulnerabilities, including looking for user input that allows URL integration and checking for vulnerabilities in third-party tools. They stress the importance of reconnaissance to find internal IP addresses and domains that might be accessible through SSRF. The speaker shares a personal experience of chaining SSRF with another vulnerability to access internal resources and emphasizes the need to think creatively about attack vectors. They advise against reporting non-exploitable SSRF as vulnerabilities and encourage viewers to think critically about the potential impact of discovered SSRF issues.

Mindmap

Keywords

πŸ’‘Bug Bounties

Bug bounties are programs run by many organizations to encourage security researchers to find and report bugs, particularly those pertaining to vulnerabilities in a system. In the video, the speaker discusses their focus on creating content related to bug bounties, aiming to educate the audience on web hacking and vulnerability discovery. The speaker's goal is to balance educational content with personal experiences in the field.

πŸ’‘Web Hacking

Web hacking refers to the process of exploiting vulnerabilities in web applications or web servers. It is a central theme of the video, where the speaker shares their experiences and knowledge in the area, specifically focusing on finding and understanding different types of vulnerabilities such as SSRF.

πŸ’‘Server Side Request Forgery (SSRF)

SSRF is a type of web application vulnerability that allows an attacker to make the server perform requests to unintended locations, potentially leading to access to internal systems or services. The video script delves into SSRF, explaining its impact and how it can be exploited, using examples from the speaker's own experiences and demonstrations.

πŸ’‘Technical Content

Technical content refers to material that is rich in technical details and requires specialized knowledge to understand. In the context of the video, the speaker mentions a need to balance technical content with more accessible material to cater to a broader audience interested in hacking and bug bounties.

πŸ’‘Vulnerability

A vulnerability is a weakness in a system that can be exploited by an attacker. The video is focused on discussing different types of vulnerabilities, particularly SSRF, and how they can be identified and exploited. The speaker aims to clarify misconceptions about vulnerabilities and provide guidance on how to properly identify and report them.

πŸ’‘Internal Network

An internal network refers to a private network within an organization, which is typically not accessible from the public internet. In the video, the speaker explains how SSRF can be used to access an internal network, which is a significant security risk because it can expose sensitive data or systems.

πŸ’‘Mentorship

Mentorship involves guiding or teaching someone less experienced. The speaker mentions the mentorship aspect of their content, indicating a desire to help viewers learn about hacking and bug bounties, not just by sharing technical information but also by guiding them through the process.

πŸ’‘Cloud Provider

A cloud provider is a company that offers cloud computing services, such as Amazon AWS, Digital Ocean, or Google Cloud. The script discusses how SSRF vulnerabilities can be exploited to access metadata from cloud provider instances, which can lead to the exposure of sensitive information like API keys.

πŸ’‘Metadata

In the context of the video, metadata refers to data about data, specifically information that can be accessed to learn more about a system or instance. The speaker explains how SSRF can be used to access metadata from cloud services, which can provide valuable insights into the system's configuration and potentially lead to further exploitation.

πŸ’‘Reconnaissance

Reconnaissance in the context of hacking is the process of gathering information about a target system to identify potential vulnerabilities. The speaker uses the term to describe the process of finding internal IP addresses or domains that could be targeted through an SSRF vulnerability.

πŸ’‘Blind SSRF

A blind SSRF is a type of SSRF vulnerability where the attacker does not receive any direct output from the server's interaction with the target system. The speaker mentions this concept to illustrate that even without visible output, an SSRF can still be exploited to interact with internal systems using techniques like JavaScript.

Highlights

The channel is seeking a balance between educational content and the creator's personal bug bounty experiences.

A new content format is proposed to showcase vulnerabilities and discuss vulnerability types.

Audience feedback is requested to determine the preferred content focus, whether technical or mentorship aspects.

The video aims to clarify misconceptions about SSRF (Server-Side Request Forgery) vulnerabilities.

SSRF is highlighted as a popular vulnerability due to its high impact and potential for unauthorized access.

A demonstration of how to distinguish between client-side and server-side requests to identify SSRF.

Explanation of how SSRF can be used to access internal networks and resources not directly available to the user.

A walkthrough on how to identify SSRF vulnerabilities by examining the source of network requests.

The importance of confirming server-side requests when testing for SSRF vulnerabilities.

Practical examples of exploiting SSRF to read internal files and access metadata services.

A demonstration of using SSRF to access a server's metadata IP and extract sensitive information.

Discussion on the potential of SSRF to interact with internal assets and modify data or export information.

Tips for finding SSRF vulnerabilities in web hooks, screenshot tools, and PDF generators.

Advice on not limiting SSRF testing to metadata key access, but also considering local file access and internal host interaction.

A real-world example of chaining SSRF with another vulnerability to hack into a major retailer's system.

Emphasis on the need to demonstrate impact and not report false positives when identifying SSRF vulnerabilities.

The video concludes with a call to action for viewers to engage with the content and provide feedback on the new format.

Transcripts

play00:00

so I have been making a lot of content

play00:03

around bug bounties and just getting

play00:05

into bug bounties and web hacking in

play00:06

general and I've realized that the

play00:09

channel is starting to lag a little bit

play00:12

of technical content and not because I

play00:16

don't want to make that kind of content

play00:17

but it's just I'm trying to find the the

play00:21

right balance between

play00:23

creating content that is just helping

play00:26

you all get into hacking and doing the

play00:28

things you want to do in your life with

play00:29

web hacking or bug bounties

play00:31

while sharing my experience so I want to

play00:34

try something new I want to start

play00:36

creating content that is just showcasing

play00:40

vulnerabilities or talk about

play00:42

vulnerability types and then later tell

play00:44

you the vulnerabies that have found or

play00:46

examples of it

play00:47

but I need to hear from you and I need

play00:49

you to let me know if this is the kind

play00:52

of content that you're interested in or

play00:54

do you just want to hear me go on a

play00:55

camera and ramble about the things that

play00:57

I've enjoyed with bug bounties and the

play00:59

things that I think you should do so by

play01:00

the end of this video If you like this

play01:02

kind of content I need you to let me

play01:04

know drop me a comment and say part two

play01:07

more content like this whatever you want

play01:09

to call it so this way I can kind of

play01:11

gauge the audience and understand what

play01:13

kind of content you like the most is it

play01:15

the bug Bounty and web hacking and the

play01:17

the mentorship aspects of it is that the

play01:20

technical aspect is it both I really

play01:22

want to hear from you okay enough about

play01:24

that let's talk about ssrf ssrf or

play01:29

server side request forgery is a very

play01:31

popular vulnerability because it's very

play01:34

impactful and it could give you access

play01:36

to the right things if you export it

play01:38

properly and the reason why I want to

play01:40

start making a video about ssrf is I'm

play01:43

honestly tired of all the DMS that I get

play01:45

from you guys asking me if everyone

play01:47

really that you have found is actually

play01:49

ssrf when in reality it's nothing there

play01:52

there's no sort of and the request isn't

play01:54

even being made from the server and it's

play01:57

being made from the client side so I

play01:59

kind of want to address all of those and

play02:00

on top of it all I see a lot of people

play02:03

just randomly say check for ssrf in

play02:06

areas that ssrf doesn't even make sense

play02:09

so for example I saw somebody posting a

play02:12

login page and asking hey what would you

play02:15

do in this case and

play02:17

the replies were kind of scary because a

play02:20

lot of people were saying stuff like

play02:22

ssrf which didn't make sense you know

play02:25

with a login page I can't see a reason

play02:28

why that website would be vulnerable

play02:30

that login page would be vulnerable to

play02:32

an accessories and hopefully this video

play02:34

helps you understand that as well so

play02:36

let's jump into it before we do that we

play02:38

need to talk about what is ssrf well the

play02:41

application that you see on your screen

play02:42

or on your browser with your computer

play02:44

has access to different applications

play02:47

micro apps apis or back-end systems that

play02:50

you do not have the access to interact

play02:53

with directly so in other words you tell

play02:56

the website I want this information the

play02:58

website or that web server looks at

play02:59

where that information is coming from

play03:01

whether it's another API that it's

play03:03

internal only and within their internal

play03:05

Network fetches that information and

play03:07

gives it to you in some other cases that

play03:09

application maybe have to communicate

play03:12

with the company's continuous

play03:14

integration and development of tools

play03:17

that they videos like maybe they're

play03:18

Jenkins their GitHub their git lab even

play03:21

though you don't have direct access to

play03:22

that the application itself is

play03:24

connecting to that other application

play03:25

pulling whatever it needs from it and

play03:28

coming back so those things are usually

play03:29

gated within an internal Network where

play03:32

you have to be in the application itself

play03:33

or you have to VPN into that Network in

play03:37

in order to be able to access those so

play03:39

that's what an ssrf becomes very

play03:41

important and very cool because if the

play03:43

application sits in the middle of those

play03:44

other apps or there's other micro apps

play03:46

or internal assets you can direct that

play03:49

application or the vulnerability with

play03:51

ssrf to fetch data and be able to

play03:54

interact with them so with that said we

play03:56

have to first understand how to identify

play03:59

an ssrf well for ssrf itself it's kind

play04:02

of easy you have to take a look at your

play04:05

request so let's jump in actually I'm

play04:07

going to show you on the screen really

play04:08

quickly how that looks so let's say that

play04:09

you have this website right here and

play04:11

it's asking you to enter URL and it's

play04:14

gonna iframe it in this case the iPhone

play04:17

kinda is obvious that it's not going to

play04:19

do the server side but I want to show

play04:20

you the difference between the two so

play04:21

what we're going to do here is we're

play04:23

gonna enter our

play04:27

website collaborate IP address in there

play04:29

let's get this right here and we're

play04:31

going to send the request

play04:32

and the thing that's going to happen

play04:34

here is it's going to make that request

play04:36

for us one more time

play04:43

and it's going to show the contents of

play04:46

that in there and when we pull this

play04:48

it's going to come back and show us a

play04:50

bunch of IP addresses I've made a

play04:52

request to this and at the bottom right

play04:54

the IP address that you see here on the

play04:56

screen is my IP address and not the IP

play04:59

address from the server itself so that

play05:01

means that the request isn't being made

play05:03

server aside and instead it's using our

play05:05

browser to make that request and I think

play05:07

a lot of times people get confused with

play05:09

an ssrf because they don't distinguish

play05:11

this very exact thing where it tells

play05:14

them hey your actual computer and

play05:16

browser made that request so of course

play05:18

you're not going to be able to access

play05:19

the internal resources and the internal

play05:22

Network that's behind that application

play05:24

so let's say you were looking at another

play05:25

ssrf I'm going to open up this one and

play05:28

of course if you're watching this and

play05:29

you want to play along with these Labs

play05:31

these are from my Homestead course it's

play05:34

my bug Bounty course that I have on

play05:35

udemy the labs right here are on my

play05:37

GitHub page I'll link them down below

play05:38

both the course and this lab they'll be

play05:41

on the description the lab itself is

play05:43

free you can install it it's a Docker

play05:44

page but let's take a look at it if we

play05:46

make the same request from this server

play05:50

I'm going to clear our top really

play05:52

quickly and then if I do a pull again

play05:55

you're going to see that the request

play05:57

comes back but this time the IP address

play05:59

is the IP address that it's not belonged

play06:03

to me and it's an IP address that

play06:04

belongs to that server and you can

play06:06

obviously check all of those by just

play06:09

doing an IP info so you can go to

play06:10

ipinfo.io and you can take this

play06:13

information you can type it in and check

play06:17

where the IP address is so if you're not

play06:20

sure

play06:20

where this IP address is coming from you

play06:23

can see that it belongs to digital ocean

play06:24

where the server is hosted so if you're

play06:26

hacking on a company that's hosted on

play06:28

Amazon AWS that org is going to be

play06:30

Amazon AWS which indicates that this is

play06:33

a cloud environment that you could hack

play06:35

into so that is the first and most

play06:37

important thing to look at when you are

play06:39

trying to find ssrf is first seeing hey

play06:42

where is that request coming from is it

play06:44

coming from another server or is it just

play06:47

my browser making that request because

play06:49

if it's coming from your browser then

play06:51

you're not able to

play06:52

access that data the next thing we're

play06:55

going to take a look at is just a sample

play06:56

ssrf a lot of times an ssrf could give

play06:59

you access to a number of different

play07:00

things the first one is you can actually

play07:02

read internal files sometimes it is this

play07:06

easy all you have to do is give it the

play07:07

file protocol and then you're going to

play07:09

give it a path to a file that exists so

play07:11

if it's a Linux machine you can give it

play07:12

Etc password and it gives you the

play07:14

content or you can just give it a local

play07:17

host and see if there's anything on that

play07:19

localhost and if it comes back it means

play07:21

that you have access to the localhost or

play07:23

maybe any other IP addresses that could

play07:25

be internal for example

play07:27

if that API just exists if you've done

play07:29

some Recon maybe you have found an

play07:31

internal domain maybe that's a corporate

play07:33

domain you can type it in here

play07:35

corp.target.com let's say it's maybe

play07:37

GitHub so if that domain exists it's

play07:40

going to come back and say yep I can

play07:41

access it and here is the data for it a

play07:44

lot of times what you see hackers do in

play07:46

this case they use a cloud service

play07:48

provider's metadata IP to get

play07:51

information about that server and in

play07:54

some cases if that metadata IP is

play07:57

accessible you can actually pull keys

play08:00

for that instance in that machine

play08:02

especially with Amazon AWS and that IP

play08:05

address is usually something like 169

play08:07

254 169254 you may not have to put https

play08:11

there

play08:13

and we can do metadata in this case I am

play08:16

using digital ocean so it might be a

play08:18

little bit harder to get this but we're

play08:21

going to eventually find it and you can

play08:22

see if I put V1 it's showing me all

play08:25

these different names and if you have

play08:27

access so for example if you are on AWS

play08:30

and you have access to the metadata Keys

play08:33

it's going to have some I am roll here

play08:35

or security folder or something like

play08:37

that that is going to uh if you query

play08:40

for it eventually it's going to give you

play08:42

the API key that you can use to log into

play08:44

that instance or pull data from that

play08:46

instance using AWS CLI we're not going

play08:49

to cover that I think that's something

play08:51

that you can learn on your own there are

play08:52

a ton of disclosed reports that talk

play08:54

about this with bug bounties that you

play08:56

can take a look at at how hackers have

play08:57

pulled Keys I've done a whole talk on

play08:59

this on how to own the cloud using PDF

play09:02

generators and ssrfs go check it out but

play09:04

I just want to cover the basics of ssrf

play09:06

so hopefully you guys don't think you

play09:09

have an ssrf when the request is being

play09:11

made a server side but what if it's not

play09:14

that straightforward what if you are

play09:15

looking at a PDF generator what if it's

play09:17

a screenshot tool or what if your

play09:20

application isn't just showing you the

play09:23

files and folders that you want or the

play09:25

instance that you wanted to the other

play09:27

option you have is for this example

play09:29

we're going to take a look at a

play09:30

screenshot tool what you can do is you

play09:33

can actually

play09:35

point this domain so one the first thing

play09:37

is always to do is make sure the request

play09:40

is being made server side I'm going to

play09:42

do that really quickly

play09:43

it's going to say hey here's our

play09:44

screenshot I'm going to go back to burp

play09:47

I'm going to do pull now

play09:49

and you can see the request is coming

play09:51

back again from that IP address and what

play09:54

we're going to do is we're going to

play09:56

actually point this to a website that we

play09:58

own so I've made this already so what

play10:00

we're going to do is we're going to

play10:01

actually see if this website is going to

play10:04

render HTML and JavaScript server side

play10:07

so the first thing we know already is

play10:08

the request is being made server side we

play10:11

can't really see any data for example

play10:13

maybe they don't let you see local files

play10:15

or something like that and you want to

play10:16

hit them out of data and what you can do

play10:18

is you can create your own

play10:21

file so for example it could be an HTML

play10:23

file it could be PHP does that matter in

play10:26

this case I'm going to do PHP and I'm

play10:28

going to say hey I want you to just

play10:29

create an iframe

play10:31

just for me to test out and see does

play10:33

this thing actually render HTML in most

play10:35

cases it does especially since it's

play10:37

being made server side but we have to

play10:39

check these one by one so we're going to

play10:41

go back to burp Suite we're going to put

play10:44

our

play10:45

and stands for collaborator in here

play10:48

and we're gonna see if it's going to

play10:51

load that

play10:54

server side

play10:57

and how it's going to behave that's

play10:59

always the first step that I use I use

play11:01

HTML then I look at JavaScript as well

play11:04

so let's see if this is going to work

play11:06

it's going to do that and of course it

play11:08

did it hit our instance with

play11:11

collaborator and we can check that again

play11:13

by going to pull and we can see more

play11:15

requests have been made uh we are down

play11:17

here now and of course the next thing

play11:19

you want to do is you want to check and

play11:21

see if you're able to do anything with

play11:25

JavaScript and this is where things get

play11:27

more fun because once you have

play11:29

JavaScript then you can control the

play11:32

behavior of this thing entirely and see

play11:35

what other uh assets you have access to

play11:38

if you do have access to an internal

play11:40

asset for example you can maybe send a

play11:42

post request and be able to modify data

play11:45

or maybe export something internally

play11:47

whatever that is or fetch other data so

play11:49

we're going to send that in and I'll

play11:50

talk about what I just said in a little

play11:52

bit but I want to see if this is going

play11:53

to work

play11:54

and we can see that it says not found

play11:56

which is a great sign because usually

play11:58

that's what the digital ocean metadata

play12:01

instance says as soon as you hit it so

play12:03

we're going to hit this one more time

play12:04

and make our adjustment now that we know

play12:06

it works we're going to go back and we

play12:09

are going to make this request one more

play12:11

time and as you can see now we have

play12:14

access to metadata on or metadata IP

play12:17

instance on digital ocean and we can

play12:19

pull some information and kind of show

play12:22

impact that hey this does have access to

play12:25

some internal resources so that is

play12:27

pretty much the basics of ssrf and I

play12:30

think it's really important to

play12:32

understand these basic things before you

play12:34

try and exploit them but before we wrap

play12:36

up the video I want to give you some

play12:37

other ideas of things you can do some

play12:39

examples of it and some areas you can

play12:41

look for ssrf number one any place that

play12:43

you can see a user who could put in a

play12:46

URL where it gives you the ability to

play12:49

integrate your own stuff for example if

play12:51

there's web hooks integration with

play12:53

third-party tools those are usually good

play12:55

place to look at ssrf any screenshot

play12:57

tool anytime that you go to a website

play12:59

maybe they let you design your own code

play13:00

you're doing HTML code and takes a

play13:02

screenshot of it and shows you the

play13:03

output that is a great place to try and

play13:05

also the PDF generators are huge you can

play13:08

also look for them there those are the

play13:09

very common places to look for ssrf but

play13:12

also keep in mind that everybody is

play13:13

going to be on this cloud provider like

play13:16

AWS digital Ocean or Google sometimes

play13:19

these companies may have an in-house

play13:20

thing so if you don't have access to

play13:22

those IP addresses go do some

play13:24

reconnaissance find those internal IP

play13:26

addresses or find internal domains and

play13:28

see if you can query for them for

play13:30

example I was able to hack in one of the

play13:33

largest retailers in the world by doing

play13:35

exactly in ssrf I was able to hack a

play13:37

third party tool that they were using it

play13:39

was self-hosted it was out of date it

play13:41

was one of those tools that every

play13:42

company uses but because it was out of

play13:44

date it had an ssrf vulnerability on it

play13:46

where I could make a request to

play13:49

localhost but I couldn't pull out any

play13:51

keys so what I ended up doing was do

play13:53

some reconnaissance and I found other

play13:55

use another tool secondary tool by

play13:57

finding domain for it so let's say if

play13:59

they were using a GitHub for example

play14:01

they had a phone that I believe that I

play14:02

knew that didn't require authorization I

play14:05

chained the two together to prove more

play14:06

impact by pulling data so don't always

play14:08

limit yourself to having a ssrf that

play14:11

needs access to the metadata key try

play14:13

things like reading local files in the

play14:16

first example I pulled up the ETC

play14:17

password file and the second example

play14:19

that I just gave you earlier I changed

play14:22

it with another vulnerability and I saw

play14:23

if I could access internal hosts so

play14:26

always always think of different attack

play14:28

vectors and attack scenarios where

play14:30

you're not just giving up and then last

play14:32

but not least not every ssrf or not

play14:35

every server-side request is vulnerable

play14:37

so if you put in your collaborator and

play14:40

you look at it and you see that the IP

play14:42

address that is making the request is

play14:44

not you and it's a remote Server doesn't

play14:47

necessarily mean that it's vulnerable so

play14:49

you have to really try and show impact

play14:51

can you access any internal resources

play14:53

can you distinguish wish if this thing

play14:55

has access to an IP address that's

play14:58

internal can you access these things can

play15:00

you send data can you read data or if

play15:02

you can't read data it could be blind

play15:03

you can't see the data from it but can

play15:06

you interact with it with JavaScript and

play15:08

that sort of things so keep that all in

play15:09

mind when we're looking for a ssrf you

play15:11

don't want to report a false positive to

play15:13

these companies or an SSR if that's not

play15:15

being fully exploited and then just get

play15:17

an n a a duplicate or an informative all

play15:20

right that's it I think that was a good

play15:22

explanation of ssrf I really hope this

play15:25

helps you guys understand what ssrf is

play15:27

how to look for a Persona even more and

play15:29

hopefully I see less and less people on

play15:32

Twitter saying Hey try ssrf in places

play15:34

that it doesn't make sense and hopefully

play15:36

I get less themes of you sending me uh

play15:38

quote-unquote ssrfs that are not really

play15:40

vulnerable and it's just being made

play15:42

client-side all right that's it I will

play15:45

see you all in the next video peace

play15:55

thank you

Browse More Related Video

SSRF to Pwned on AWS

SMT 1-2 Web Security Overview

SMT 1-4 Server Side Security (1)

Client-side vs Server-side, Front-end vs Back-end? Beginner Explanation of JavaScript on the Web

Differences between server side scripting and client side scripting

Web Development Tutorial - Server-side scripting

Rate This
β˜…
β˜…
β˜…
β˜…
β˜…

5.0 / 5 (0 votes)

Summary
Outlines
Mindmap
Keywords
Highlights
Transcripts
Related Tags
SSRF VulnerabilityWeb HackingBug BountyCybersecurityServer-Side RequestHacking TutorialInternal NetworkCloud SecurityWeb ExploitsBug Hunting