-
What protocols does
the client support?
- ftp:// (File Transfer Protocol)
- dict:// ( dictionary network protocol)
- gopher:// (File Distribution)
- File:// (File URI Scheme)
- ldap:// ( Lightweight Directory Access Protocol)
- AWS Meta-Data http://169.254.169.254/latest/dynamic/instance-identity/
- ssh:// (Secure Shell)
- smb:// (Server Message Block)
- http://
- https://
-
Bypasses
- Redirect using external
server you control
- numberic ip conversion
for blacklist bypasses.
- Shortern URLs: http://127.1
-
What else can I do?
- Port scanning of internal network
-
Try and view internal services
- Elastic Cache
- File servers
- Databases
- Network infrastruction
Switches, Routers, Firewalls etc
- Directory traversal
- AWS & GCP meta-data exploitation
- Send an email using localhost SMTP?
-
What to look for?
- Anywhere a system addressable string shows up (IP, domain name, email address, etc).
- queryParams taking a URL as input
- Ability to upload files
and templates
-
Fuzzing headers
- Location
- Referrer
- X-Forwarded-From
- Webhooks
- PDF Generators
- Document Parsers
-
Can I read responses?
- YES
If I can read the response then proving impact is a breeze: we just need to identify an internal service that responds to whatever protocols we have access to and read a response from it.
- NO
is there any additional information given to me based on the availability of the receiving system? If the port isn’t open, does an error get returned? If the system doesn’t speak HTTP but is receiving traffic, what happens?
-
Where are we?
- Are we on IaaS?
If yes, can we access the
metadata service?
- More Custom?
Start digging and see
what we can find
- https://medium.com/@d0nut/piercing-the-veal-short-stories-to-read-with-friends-4aa86d606fc5
-
SSRF is the ability to direct a system in a privileged network position to issue a request to another system within the trust boundary.
- Thank you @d0nut
-
Internal Network
Addresses in CIDR
- 10.0.0.0/8
- 127.0.0.1/32
- 172.16.0.0/12
- 192.168.0.0/16
- Don't forget numeric version!