Introduction to Server-Side Request Forgery


Server-Side Request Forgery
What is SSRF?

The course is part of this learning path

What is SSRF?

In this course, we're going to take a look at Server-Side Request Forgery (SSRF) vulnerability and learn what it is and how we can exploit it.


Hi, within this section, we're going to take a look at the SSRF vulnerability to see what it is, how we can exploit it, and also we're going to take a look at the OWASP Top 10 one more time. So, in the previous section I believe we talked about the OWASP Top 10. Of course, I took a look at the OWASP Top 10 before I start preparing this course, the curriculum of this course because you need to know about the most common vulnerabilities of websites in order to understand the web pentesting in a more comprehensive way. And I have prepared all the sections according to this OWASP Top 10. However, as I said before, this list is not something constant, it changes in years. They aim to update it in every three years and guess what? Now it's updated and many of the vulnerabilities are still in place and the list didn't change too much. We have only one edition that we haven't seen. We haven't covered in this course before and I'm going to explain it in this section as well. Don't worry about it. But the thing that you should know is that this list gets updated and in 2021, it got updated again. So, if we took a look at the list, now we can see the new vulnerabilities, new sections, new categories, and sometimes categories just change names, okay? For example, in 2017 we had the sensitive data exposure. Now, it's called cryptographic failures. So, let me zoom in so you can see it in a better way, okay? So, we have this SSRF which is Service-Side Request Forgery attack or vulnerability in the 10th position. We haven't actually seen this before and we're going to cover this within this new section. And also as I said before, some of the vulnerabilities change orders. For example the injection, the SQL injection and other injections were number one, right now it's number three but since the data exposure, it was still there but it changed the name such as cryptographic failures, okay? So, the terms do not matter much, you don't have to memorize everything. You need to understand the logic behind them. But I believe it's a good thing to know at least the top three of the OWASP Top 10 so that if you come across a question like in an interview, if somebody asks you what is the top 10, what is the first of the OWASP Top 10, then you can just say, it's Broken Access Control. It used to be Injection but right now it's Broken Access Control. So, I suggest you keep an eye on this list, okay? Once it gets updated, you need to understand why it gets updated, why the new vulnerabilities arise and how you can actually exploit them? So, that's exactly what we're going to do, so we need to take a look at the Server-Side Request Forgery in this section in order to understand what it is and how we can exploit it, okay? So, in order to do that, I came up with a new lab, something like a new CTF and it's going to come from the PortSwigger, okay? So, let me show you what I mean. What I did was, I went to Google in order to find a good CTF or good machine to work upon to show you the SSRF and the first thing that popped into my Google when I search about SSRF was PortSwigger. If you cannot find it, you can just of course search for ssrf portswigger as well. And guess what, PortSwigger is the company that actually builds the Burp Suite. So, we have been using the Burp Suite all along this course and of course, PortSwigger has offered some good tutorials and labs for all kind of vulnerabilities that you can imagine throughout these years, and SSRF is one of them. So, what I did was I came up over here and just try to understand if it has labs like some live websites that we can actually exploit those vulnerabilities and guess what, it has. So, you need to find this website, okay? And you need to log in, so you need to sign up to the PortSwigger. Don't worry, it's actually free, you have to give your email and you have to just get a password out of that email and just log in in order to actually experience the labs. But if you don't want to do that or if you cannot find it for some reason then don't worry, this is going to be like a small section, of course, you don't have to experience, you don't have to just do this hands on, you can just take notes if you don't want to sign up or if you just don't feel like it or if you don't have an Internet connection or something like that or if you cannot find it for some reason. But you can take notes and understand the SSRF because the thing that we're going to do here is to understand the vulnerability then just execute it and see how it goes. So, as you can see it has some level progress over here. So, if you saw like 47 apprentice thing over there or maybe 100 practitioner or some 27 expert labs, then you get some badges and stuff. So, it has some kind of gamification, if you want to solve the other labs, that's fine. So, let's go back to the SSRF. What is Server-Side Request Forgery? So, this is actually a vulnerability that will allow us to induce the server-side application to make requests, okay? So, what does that even mean? So, we're going to do some HTTP requests or we're going to do some request to the server and even though if we are not authenticated as an administrative user, for example, it's going to work. So, how does this work? We know how a website works right now, right? So, websites works in a server, in essentially a computer, in that computer we can run some kind of Apache service, for example, in order to expose our website, files and folders to the end users. But for some reason we can have many more applications or services running on the same computer as well. And this is mainly the case because websites tend to be much more complex than what it seems like, right? So, we can have a backend system. We can have like a database service or anything that pops into your mind and they're generally on the same computer, they are generally on the same network, they can communicate with each other. So, maybe I can just send a request to one of those servers or one of those services as if I am the administrator user and I can gain access by doing that. So, what do I mean by that? Let me just scroll down a little bit and see for yourselves. As you can see over here, it says that if the attacker which means us that induces the application to make a request back to the server that is hosting the application via its loopback network. So, this is generally the localhost Okay, if you run ifconfig over here, you will see that this is the loopback interface and points to the So, remember that inside of the Kali Linux, we can actually run an Apache service, right? So, if I want I can just run service Apache to start and expose my web service to the other computers on this network like this. So, if I had something like a Windows running on this virtual machine, okay? I can reach that website, the Apache server hosting from the other websites, from the other computers on the same network. And I can't just browse and do whatever I want to do, right? So, the logic is the same. So, if I can reach the service from here, maybe I can reach the other services on the Kali Linux as well. If I get to find the correct APIs, correct servers, correct things to do, correct ways to approach this problem. Of course, it has to have this vulnerability, it has to have some kind of misconfiguration or some kind of ignorance or some kind of vulnerability when it comes to decoding itself. So, we're going to talk all about this. So, if you came to this point then that's great, we're going to stop here and continue within the next lecture together.


About the Author
Learning Paths

Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.