Server-side request forgery is a web security vulnerability that allows an attacker to cause the server-side application to make requests to an unintended location.
In a typical SSRF attack, the attacker might cause the server to make a connection to internal-only services within the organization's infrastructure. In other cases, they may be able to force the server to connect to arbitrary external systems. This could leak sensitive data, such as authorization credentials.
In an SSRF attack against the server, the attacker causes the application to make an HTTP request back to the server that is hosting the application, via its loopback network interface. This typically involves supplying a URL with a hostname like 127.0.0.1 (a reserved IP address that points to the loopback adapter) or localhost (a commonly used name for the same adapter).
For example, if we assume that the backend of an application to get information maintained on external servers makes queries to various back-end REST APIs, and the API to be contacted is directly indicated by the user by passing the URL to the relevant back-end API endpoint via a front-end HTTP request, their browser makes the following request:
POST /api/method HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 118
api=http://external.api.net:8080/api/info/checkID
In this example, an attacker can modify the request to specify a URL local to the server:
POST /api/method HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 118
api=http://localhost/admin
We can enumerate other ports on the backend using Intruder:
In some cases, the application server is able to interact with back-end systems that are not directly reachable by users. These systems often have non-routable private IP addresses. The back-end systems are normally protected by the network topology, so they often have a weaker security posture. In many cases, internal back-end systems contain sensitive functionality that can be accessed without authentication by anyone who is able to interact with the systems.
In the previous example, imagine there is an administrative interface at the back-end URL https://192.168.0.68/admin. An attacker can submit the following request to exploit the SSRF vulnerability, and access the administrative interface:
POST /api/method HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 118
api=http://192.168.0.68/admin