SSRF Backend Attack
Start course

In this course, we're going to take a look at Server-Side Request Forgery (SSRF) vulnerability and learn what it is and how we can exploit it.


Hi, within this lecture we're going to see the next challenge about the SSRF and we're going to see how it's different than the previous one, and how to solve it as well. So, I'm going to turn the intercept off for a minute over here and let's see how we can go back to SSRF. Here you go. So, let me scroll down a little bit. So, we have actually experienced the attack directly to the server itself. Now we're going to attack against the other backend systems. So, over here we're actually going to see the another type. So, this is like a relationship that often arises, the server-side request forgery is where the application server is able to interact with other systems. So, what we're going to do?

We're going to try and find another system that is working on the same network and we don't even know the IP address, the local IP address of that networks or of that service.

For example, over here it says that it can be something like, but we don't know it. If we can find it, now we can go to the admin server or admin user interface and we can try to delete the user or do whatever we have to do using that exploit. However in this case the admin user interface is running on another service and we don't even know the IP address. So, first of all we need to understand, we need to discover whether we have that service, in this case in another local IP address and then try to see if we can reach it via a loop back or via SSRF vulnerability. So, this is one of the interesting ones and I believe this is much more fun than what we have done in the previous lecture. It's very understandable and easy as well. So, of course we're going to work with the stockApi parameter again and we need to supply some sort of IP address over here rather than the local network or loop  back address of 127001. So, in order to do that I'm going to go and access the lab and as you can see it asks us to delete the carlos user one more time.

So, as you can see it asks us to find that IP address. We don't even know that IP address. So, it should have started with the 192.168. However it can end with 1 to 255 range. So, we need to find exactly what it is. So, I'm going to access this lab. Of course this is one of the things that you should try in order to understand whether there is a way to reach the local service if there is one and what is the exact IP address of that service if we can reach it, if we can do something with it. So, it's a little bit harder to find but we'll see. So, here we go, we have the shop, now we have I believe different products. So, I'm going to go with the first one as usual which is the lazy dog in my case and as you can see we can still check the stock. So, I'm going to open the burp and turn it on and check the stock. Here you go. We have the stockApi over here and if I delete it and try with some other IP addresses over here actually, rather than delete it, I'm just going to send it to intruder or repeater.

So, the reason why I'm sending this to intruder because I want to try IP addresses one by one. So, what we're going to basically do over here is that we're going to try 192.168.01, 02, 03, 04, one by one. Of course we can do it from here or repeater as well. However, it will take time and it will be completely manual if we do that. So, rather than that we're just going to go with intruder. So, what we're going to do we're going to say So, over here maybe we can just go along with this manually like this 2, 3, 4, 5, however it will take time. So, since we have the intruder and we know we can brute force with this, why not use it? So, all we going to do, we going to change the positions. So, I'm going to delete the stockApi from here and I'm going to say http:// over here. So, of course, we're going to change this one.

So, select one, select the partition that you want to brute force. So, in this case, this is the one, select it and click on the 'Add' button. Make sure you highlight the thing that you want to change. If you hit 'Add' then you can see there are dollar signs around this one and of course we have another one over here like cookie session, we don't need that so I'm going to clear this. Great, now this will actually change this. I'm going to just edit one more time in order to make sure this is going to change this one and try with other possibilities. So, in order to do that I'm going to go into the payloads and rather than simple list, I'm going to go with numbers because that's basically what we're going to do. So, we're going to do the sequential and it will start from 1 and end in 255, and step will be 1 as well. So, it means that we're going to increment this by one each time.

So, right now I believe we can start the attack and if you don't know why we're using 1 to 255, because that is the IP range. I suggest you take the complete ethical hacking course from me where we can actually deep dive into the networking things. So, here you go. It's already started and as you can see it's a little bit slow because we're using the community edition. If we had used the pro, I believe it should have been done by now, but since we're using the free version and it's troubling to think it's making it slow by purpose. So, you need to upgrade to the pro version if you wanted actually much more faster. So, over here we can click on any of the requests to see the responses, and if we look at the status we can see the 500, 400 and over here we see the 200. So, it means that it's okay. So, if we see the 200 we can just go along with this and try to change this one.

So, here you go 26. We already found it so if I go to response as you can see it says that some an admin user interface. So, we already have that so we can just right-click and send this to repeater. And beware that I found it just by looking at the status. So, it's the only one different from the others. So, over here in the repeater I have this Of course you can just see the response from here as well, it means that we got to find it. So, I'm going to go back to proxy and just copy and paste this because I will just forward it as a request as a real request. Here you go. Of course if you want, you can just directly add the delete functionality here as well like /delete?username=carlos.

So, if you're not sure about the username and stuff, you can go back to repeater but I'm sure. So, here you go. So, let's see if it got done, here we go. I believe we managed to do it. So, we can see the congratulations thing over here. So, I'm going to forward every one of these and scroll up a little bit and here you go, we sold this case as well. And this time we didn't actually directly attack the server  itself but we attacked another service running on the same network as our http service or web service, and we managed to reach it via the SSRF vulnerability, and it made us available to get to the admin user interface and eventually find out how to delete the user. By the way it's still going on. As you can see, it's very slow at this point, of course you can just turn it off like this and continue with your life. Great. Now this is good but we need to take into consideration of additional protection mechanisms as well. So, in order to do that, we're going to solve the other challenges in the PortSwigger lab or PortSwigger tutorial. In order to do that, I'm going to stop here and continue within the next lecture together.


About the Author
Learning Paths

Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.