Server-Side Request Forgery
The course is part of this learning path
In this course, we're going to take a look at Server-Side Request Forgery (SSRF) vulnerability and learn what it is and how we can exploit it.
Hi, within this lecture we're going to take a look at the whitelisting. We have already seen the blacklisting in the previous lecture and you can understand what is whitelisting just by looking at the definition. So, let me show you. I'm just going to go back to Burp Suite and turn the Intercept off and try to go to the lab description. So, over here, I believe this will be the last lecture of this SSRF section and we're going to just complete it with the whitelisting. So, let me scroll down a little bit. So, we have seen the blacklisting, and whitelisting is the exact same thing, but actually it's the exact opposite of the blacklisting. In blacklisting, it blocks some kind of inputs by matching it with some kind of predefined rules. In whitelisting it doesn't block, but it only allows some inputs by trying to match it with the predefined rules. So, in blacklisting, if you bypass it, if you try to find a way to just turn that around, you can just easily get in. But in whitelisting, you have to find what is allowed and it's harder to do, at least in my opinion. But of course, there are some suggestions. As you can see it says that, just find a host. Find the IP address or something like domain and you can try to embed credentials in a URL before the host name. So, you can use the @ character. As you can see, we're going to try and do this like, username@thiswebsite or something like atil@thiswebsite. So any parameter at this website. And over here it says that, you can use the hashtag or the pound sign character to indicate a URL fragment. So, we can try this with the @ and pound sign or vice versa at the same time. So, let's try and see how it works. I'm going to just 'Access the lab' and of course it asks us to find the admin user interface and delete the carlos. So, I'm going to access the lab and try to walk you through those suggestions. Of course, the idea over here is that it actually breaks apart the URL into fragments and try to make a sense out of it, and try to get the inputs, only the allowed inputs from that request. So, by adding the pound signs or the at signs, we're trying to create some fragments. So keep in mind that. So I'm going to turn the intercept on and I'm going to just check the stock. And of course over here in the stockApi, I'm just going to send this to Repeater because we're going to try it. So, I'm going to delete everything from here. So, say 'http://localhost/admin' or any other thing that you want and you can see for yourself that again it says that it's blocked. And the interesting part is that the error message is different as well. It says that external stock check out that it should be some kind of different website. So, over here we don't see it, but in the message it clearly says that, External stock check out, that must be stock.weliketoshop.net. So we need to send this to the stock.weliktoshop.net. So, let's try that. I'm just going to copy and paste this over here. Rather than local host, maybe we can just try to point this out over there and see if it works or not. So, we are just experimenting over here. So I'm going to just say stock.weliketoshop.net and just send it. And here you go. It says that, "Could not connect to external stock check service." So, it's giving us a different error message this time. So, error messages are very important. So, we can understand what's wrong. And over here, maybe we are dealing with some kind of new protection mechanisms this time. So, maybe it's whitelisting. So, I'm going to try this, email@example.com. But as you can see, it doesn't work. So, the atil or anything like username or some kind of thing. It doesn't make sense to put it over there. I'm just trying to see if it actually allows some parameters or try to give me some kind of different error messages. So, let's try pound and at sign over here after the username, and see if that works. And I'm just going to delete the admin and try to send this over there. It still doesn't work. So, what we can do over here, we are trying to actually make this into a fragment. So maybe it's blocking the hash sign or the at sign. So, maybe we can just add this pound sign. Maybe we can add this pound sign before the at sign. Or maybe we can add the pound sign, but URL encoded. So, maybe it's trying to do the blacklisting and whitelisting together, I don't know. So, we are trying with different things and as you can see, it still doesn't work. And sometimes it gives us the stock.weliketoshop.net thing. Over here it means that, we actually broke the fragmentation somehow. So, rather than this, what I'm going to do, I'm going to try and send this to local host, to 80 port, and I'm just going to say pound sign and at. And I'm going to try the blacklisting bypassing thing one more time over here. So, rather than pound sign, I'm just going to double encode it like this. So URLs, come on. I'm just going to copy this. So, double URL encoding over here and rather than pounds sign I'm just going to paste this and I'm not going to change the at sign. So if I send this, as you can see it works. The trick over here was to change the pound sign to make this into fragments and just double URL encode that. So, let me try to go into the admin this time and try to just directly delete the carlos user. So 'deleteusername=carlos.' So I'm just going to copy this thingy over here and go to the Proxy, and just delete the stockApi from there and I believe, I'm doing this wrong. So I'm just going to delete everything over here and paste the thing one more time. And I believe we have to hit 'Enter' over here to make this right and here you go. Now, I'm going to forward this and see what happens. I just added the delete functionality as we usually do in this section. So, I'm going to forward this and one more time I believe it worked. If we go back to scroll up and here you go, it says, "Congratulations." So, as you can see, you can try this pound sign or at sign things and you can try to actually double URL, encode them or encode them in any other way you think that it might work. And as you can see, it's actually a little bit harder to discover bypass when you compare it with the previous examples that we have done. So, I believe this blacklist-based input filters will be beneficial for you if you memorize them like 127.1 or any kind of representation like this 'spoofed.burpcollaborator.net' is great for that purpose. But in the end, I believe if you completed all of these lectures with me, you now understand what is SSRF and you now understand how to exploit it if you find the vulnerability. Now, what I would suggest is to continue with the PortSwigger Labs. They are very good and if you have an account you can try to get some badges and try to learn from them as well. And what I would suggest next is to, if you find a CTF that actually involves an SSRF vulnerability as well, I couldn't find a very proper one, but maybe you will find it, you can try to actually execute the SSRF in another environment and it would be good for you as well. Because right now this is one of the top 10. So far so good, I hope you enjoyed this section as well. We're going to stop here and continue within the next one together.
Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.