Server-Side Request Forgery
The course is part of this learning path
In this course, we're going to take a look at Server-Side Request Forgery (SSRF) vulnerability and learn what it is and how we can exploit it.
Hi. Within this lecture, we're going to see the blacklisting and how we can bypass that. So, I am going to turn intercept off for a minute because I want to go back to the lab or the description itself. So, I am going to say 'Back to lab description' and just find the SSRF page one more time. Because we're going to take a look at what blacklisting is and then we're going to see what whitelisting is as well. So, let me scroll down a little bit. We have seen the backhand side and here we go. SSRF with blacklist based input filters. So, what is a blacklist? Of course, it's a protection mechanism. So, assume that you're developer, or the developer of the website has discovered that, "Yeah, we have this SSRF vulnerability and let me just impose some measures in order to overcome this problem." So, maybe he or she added some kind of security measures, for example, filtering out the input. For example, if you see 127.0.0.1 or localhost, maybe the survey doesn't accept that input. So, the suggestion over here in the PortSwigger, it says that, "Yeah, maybe it doesn't accept the 127.0.0.1." Then, you can try some kind of other representation of 127.0.0.1. Or if it doesn't actually accept the localhost, maybe you can try with 127.0.0.1 or something like that. For example, over here, we can see the other representations of 127.0.0.1 whether it's a hexadecimal or other kind of representation, it doesn't matter. If it resolves to 127.0.0.1, then it's okay. And it actually gives us a website, that spoofed.burpcollaborator.net. So, it results to 127.0.0.1. So, rather than writing localhost, you can actually write this to test this out as well. So, blacklisting is fine, but as as you can see, it can be easily bypassed. Of course, it cannot be that simple sometimes and we're going to see it in a minute. And I am going to go to the lab in order to show you that. And as you can see, it asks us to find the admin panel one more time and delete the Carlos user as usual. So, let me show you what I mean. I am going to 'Access the lab' and remember that we can try 127.0.0.1 or localhost or any kind of representation of 127 like 127.1 rather than .0.0.1 or something like that. We can try to encode the things that we're going to be passing as well. So, let me see. The first product over here is 'What Do You Meme?' in my case. So, I am going to turn the intercept on and find the API over here. So, this is the stockApi parameter. I am going to delete this and I am going to go to localhost/admin, and let's see if this works or not. So, as you can see, I have changed this to localhost/admin and used to work in the first example like we see and right now it says that, "Could not fetch stock levels." So, we cannot see the admin panel over here, admin user interface. So, it doesn't work. So, in order to see why it doesn't work, maybe we can just see the response or try to do it one more time in the repeater as well, but it's actually very easy. It blocks that kind of connection. So, you can try with 127.0.0.1. I am just going to send this to repeater so that we can see what's going on. I am going to 'Send' this and here we go. As a response back, we get this, "External stock check blocked for security reasons." So, it's exactly what we have thought, right? With the developer has implemented some new measures against this attack. So, let's try with 127.1 for example, or any other representation of localhost, like properly introducing the tutorial. But as you can see it still doesn't work. S,o what we can do over here, for example, we can try to go along with this 127.1, but try to change the slash admin site. Maybe they blocked the 127.1/admin as well. So, what I can do, I can try to just leave it as it is, 127.1, leave it as it is or try with other representations or try to encode the admin. So, go to the 'Decoder' and encode this with URL representation and try like this. So, this is the URL representation of the word admin. So, I am going to go back to repeater and just paste it over here and try to 'Send' this as a request. So, let's see if this works. And as you can see, it doesn't work. Still we cannot get this work. So, I am going to just delete this. As you can see it still doesn't work. I am going to try and change only one letter. So, for example, let me change the letter a and paste the thing over here and send it. As you can see, it still doesn't work. So, we can try one by one. And we can try double encoding. So, we can encode this one more time and try to copy and paste this. So, I am only changing a as you can see. I am only changing a. And as you can see, it worked. It worked. And here we go, we managed to reach that admin user interface. So, why did it work? Because most probably it was trying to block the admin or /a or something like that, and we managed to bypass it. So, maybe we can try this with other stuff like. Let's try to change the d and see if it works. So, I am going to double URL encode the d. So, it should be like this. I am going to copy this and come over here to repeater, delete the d, and paste the thing in. And here you go. It works again. So, trying to just double URL things like maybe it should have worked with the whole admin thing as well if you double encode it. So, double encoding works. So, I am going to say /delete?username=carlos and send this. Here we go. I believe it works, but we cannot see the thing over here. Maybe I am just giving this wrong. So, it should have been. Nope, I am giving it right, so delete?username=carlos. So, maybe we can just try and copy and paste this thing and try with the irregular request. So, I am going to do it. I am going to copy this and go to proxy and delete this thing. And here you go. Here we go. I believe it worked now. So, let me go back and scroll up and here you go. It says that, "Congratulations." So, it's easy to find the solution to bypass the blacklist. It's exactly what we did in the SQL Injection section. So, we managed to find some other ways to represent what we are writing and it eventually got through. So, blacklisting works, but not exactly. It's easier to bypass when we compare it with the whitelist. So, this is a way to find and exploit the SSRF vulnerability as well. So, the main idea over here is that don't give up if you don't actually see the SSRF working for the first time and try with some other alternative measures to bypass the blacklist or the whitelist. So, let's stop here and focus on the whitelisting in the next lecture together.
Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.