Server-Side Request Forgery
The course is part of this learning path
In this course, we're going to take a look at Server-Side Request Forgery (SSRF) vulnerability and learn what it is and how we can exploit it.
Hi, within this lecture we're going to do our first SSRF attack so that you can understand this in a much better way while implementing it or executing it yourself. So, let's see the example over here. So, it says that consider like an e-commerce application or e-commerce website. So, there is an e-commerce website that actually provides some products. And over here we're going to just do something like a stock check. So, it says that 'whether an item is in stock in a particular store'. So, we're going to check to see if there is a stock in the London branch for example or in the Paris branch for example. So, the server will return this value to us. But it says that get that request from the Burp suite and you can change that request to actually execute the SSRF attack. So, it happens that it has some kind of parameter over here like stock API and it has this product ID, store ID, but we're not interested in any of those things, but we are interested in that we're going to change the stock API to try and make our way into the admin panel. So, as you can see this is http local host admin.
So, the example here is that if we actually put the slash admin at the end of this website, it won't work because we are not administrator user, it won't display that admin interface to us. And it's the way it's supposed to be but if we reach that via local host or loop back via the 127OO1 or local host doesn't matter then we can reach that administrator panel or administrator user interface and we can just do whatever we want to do with it. Okay, so that's the logic behind the SSRF. So, it doesn't actually let us reach the administrator panel using the regular URL, but if we reach it via local host then it will let us. So, let's go to the lab as you can see it says not solved. And over here we have the lab, we have the challenge and also, we have the solution as well. So, I'm just going to try and solve this without looking at the solution and I will suggest you do the same after you do this one example maybe you can just post the video in the next lectures and try to solve this on your own. But I believe there is nothing wrong with just taking a look at the solution because this is the first time that you're actually learning about this.
So, the challenge is change this stock URL or the API URL to the local host admin and find a user called carlos and delete them. Okay. So, what we what we are trying to do to reach the administrator panel and delete the user carlos. So, let's see how we can do that. Maybe we're going to have to just change the stock API maybe we're going to have to do something else in order to figure that out. I'm just going to access this lab. Of course, we need to open the burp suite and configure our browser to work with the burb suit with changing the proxy settings and stuff. And I believe by this time now it should be a second nature to you and you can actually work with the burp suite in a quick way. So, I'm going to zoom in a little bit so that you can see it in a better way. As you can see, this is just an e-commerce website. There are a lot of products over here. Maybe you're seeing some different products, I don't know and we don't care actually because what we want to do, we want to just try to go into one product and just find that store checking API. Okay, so maybe you can choose any of the products from here. Maybe your favorite one. I'm just going go with the first one as you can see says that 'There's No Place Like Gnome'.
Over here we have the description and we have the check stock thingy. So, I'm going to check the London stock as you can see, it says that 115 units, which is great. So, if I go to Paris for example, it says that 509 units, so it's working. So, let's go to the main website again. So, let's try to find the admin. Okay, so admin panel as you can see it says that 'Admin interface is only available if logged in as an administrator' or it gives us hint it says that 'if requested from the loopback'. So, maybe you have found this admin by a der buster or Derby or some kind of tool or maybe you can you just actually tried it on your own. There is no shame in trying slash admin, administrator or something like that. Maybe you found out that this exists but you can not go into that. Okay, so next thing you should do is to understand if there's any SSRF vulnerability to go into that administrator panel. So I'm going to open the Burp Suite. Okay. And we're going to of course configure this burp suite to work with our browser and just catch the or intercept the request. So, I'm going to open my foxy proxy and let's find the burp suite over here, go to proxy. Here we go intercept is now on and I'm going to try and see the admin requests.
So, for some reason it doesn't seem that it's intercepting. here we go. So, as you can see in the administrative panel it says that get admin and we don't have any kind of parameters if I forward that there is no anything funny going on over here, for example, maybe there is something like is admin so I can change that parameter like we did in the previous section but there isn't anything like that, it's just a GET request. Okay it doesn't have parameters, it has some headers but it doesn't do anything for us. So, you cannot actually change your way into that administrator panel using some kind of like changing parameter scheme. So, what we're going to do, we're going to try this, so, I'm going to intercept one more time and try to check the stock of the London. Here you go. Right now we see the stock API parameter over here. And of course it points to something like a product ID, store ID, something like that. So, I'm going to send this to repeater so that we can play with it. If we send this as you can see it returns back the units for us like 509 or six or something like that so it's working. But what I want to do? I want to change the stock API. So, rather than pointing to that, I want toloca point to something like http://localhost/admin for example. Okay, here we go. Now I change this parameter to be like this. If I send this as you can see, we get an html back, we get a response back, most probably we get this thing back. So, what I'm going to do, I'm going to go to the actual request over there, I'm going to just change this to be local host admin as well, so localhost/admin, I'm just going to forward this and here you go. If I scroll down here we go, we see the admin panel over here rather than five online or any unit number, any number over here, we now see the admin panel. So, I can see the Users, I can see the carlos and wiener. So, maybe I can just delete the carlos from here and see how it goes. Right. So, I have seen the admin panel which is the first thing that we should have done in this challenge and now it's there. So, this is the SSRF actually you can try to go back to the SSRF and just read the explanations over there to understand why this happens, why the administrators or web developers leave this on in order to understand this in a better way. So, if I can explain it in little words, I can say that. So, as you can see there is some protection, right? You cannot just go directly to the administrator panel by saying that /admin. So, they have some kind of protection mechanisms, but they do not have that if the request is made via loopback. So, maybe there is some kind of reason for web developers to leave that open. Maybe they want to leave that open in case they get hacked or something like that. Maybe they lose the administrator password, so that they can actually logged into the administrator panel or maybe they made some kind of mistake, maybe they ignored this kind of situation. But anyway, they do not have that protection mechanism over here. So, we're going to see if they actually add some mechanisms to prevent this issue. There may be some kind of swing around things that we can do to bypass those mechanisms as well. We're going to see about those in the following lectures, right now let's try to delete the carlos and see what happens. So, if I click on delete as you can see, we see the requests and this is important because we need to use this later on. So, this admin/delete the username is carlos. Maybe you can just copy this. Okay, and save it to some kind of file to take notes. Or you can just send this to repeater so that it stay still in the repeater. You can just see this anytime you want. So, here you go. So, what it tries to do, tries to delete the carlos but if I forward this will it work?
So, let me just forward everything that pops over here, as you can see it doesn't work because again it actually leads us to this admin/delete user named Carlos. And since we are not admin and since we are not requesting this via loopback, it doesn't work, it actually gets stuck into the first protection mechanisms that we try to bypass. So, what we can do, we can just try to do this via loopback as well, we know how to do that. Right? So, what we try to do, just let me just close this interception. What we're going to try to do, we're going to find this stock API again and just change this to be admin slash delete user. So, let me open the intercept and let me check the stock. And here you go. Rather than this what I'm going to do, I'm going to say http://localhost/admin. And right now, I'm just going to go to repeater and try to copy and paste this, delete question mark username carlos. That's it, that's all you going to do. question mark user named delete?username=carlos. Now if I just send this to the loopback then it will work because we know that the SSRF thingy is over there. So, if I forward this. Here you go now I get the response back, it says 'Congratulations' or something like that. So, I'm just going to forward everything here. So, most probably we have already solve this thing. We don't see anything over there. So, let me forward everything and just see if we can get the message somehow over there.
Yep, here you go. Not this one but this one. So, as you can see it says that could not fetch the stock levels. But up here we see that, 'Congratulations, you solved the lab!'. So, this is what we needed to do. And this is the fundamental of the SSRF vulnerability as you can see even though we are not administrator users, even though there is nothing such like is admin parameter in the request. We still got to reach the administrator user interface and we still got to delete the user that we wanted to delete. Of course, there might be some other scenarios like some added protection mechanisms to make this much more secure. Web developers tend to do that of course and we're going to see how to bypass them in the following lectures as well. But it was essential for you to understand these fundamentals because it's eventually going to be a stemming from the same principle that we have learned in this lecture in the following lectures as well. So, let's stop here and continue within the next lecture together.
Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.