0dSSRF | Automate Finding SSRF & External Service Interactions & Open Redirects

1 month ago 26

BOOK THIS SPACE FOR AD

ARTICLE AD

Server-Side Request Forgery (SSRF) is a vulnerability where an attacker tricks the server into making unintended requests to internal or external services. SSRF can bypass network boundaries, reach restricted systems, or exfiltrate sensitive information.

Accessing Internal Networks: Attackers can use SSRF to access services that are only available within an internal network, such as internal APIs or database servers.Bypassing Firewalls: SSRF can be used to bypass network restrictions and reach otherwise inaccessible services.Data Exfiltration: Attackers may use SSRF to retrieve sensitive data from internal services, such as metadata from cloud instances.

SSRF isn’t limited to HTTP requests. Often, the vulnerability includes interactions with external services, such as DNS lookups or port scanning. Sometimes, the server’s interaction may only resolve to a DNS query without completing a full HTTP connection.

Although DNS lookups alone may not seem harmful, they could still indicate a potential vulnerability or system misconfiguration. Reporting these to the responsible team is worthwhile, as these subtle clues can lead to deeper issues or even rewards.

External Service Interaction via Host header

Update: now HackerOne triagers are considering this issue as informative.

To identify SSRF vulnerabilities effectively, I structured the discovery process into four stages. Each stage targets a different attack vector, ensuring a comprehensive assessment of the target application.

The first step focuses on manipulating the Host header. Some applications rely on the Host header for routing or validation, which makes it an attractive target.

Example:

curl -H "Host: collaborator-id.burpcollaborator.net" https://target-site.com/resource

By injecting a malicious value into the Host header, I can trick the server into making requests to the Burp Collaborator.

In this stage, I target commonly used HTTP headers, such as X-Forwarded-For, Referer, Origin, and others, which are frequently processed by servers during request routing.

Example:

curl -H "X-Forwarded-For: collaborator-id.burpcollaborator.net" https://target-site.com/resource

the most common headers are

From: From: root@$Collab
User-Agent: User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 root@$Collab
Referer: Referer: http://$Collab/ref
X-Original-URL: X-Original-URL: http://$Collab/
X-Wap-Profile: X-Wap-Profile: http://$Collab/wap.xml
Profile: Profile: http://$Collab/wap.xml
X-Arbitrary: X-Arbitrary: http://$Collab/
X-HTTP-DestinationURL: X-HTTP-DestinationURL: http://$Collab/
X-Forwarded-Proto: X-Forwarded-Proto: http://$Collab/
Origin: Origin: http://$Collab/
X-Forwarded-Host: X-Forwarded-Host: $Collab
X-Host: X-Host: $Collab
Proxy-Host: Proxy-Host: $Collab
Destination: Destination: $Collab
Proxy: Proxy: http://$Collab/
X-Forwarded-For: X-Forwarded-For: $Collab
Contact: Contact: root@$Collab
Forwarded: Forwarded: for=spoofed.$Collab;by=spoofed.$Collab;host=spoofed.$Collab
X-Client-IP: X-Client-IP: $Collab
Client-IP: Client-IP: $Collab
True-Client-IP: True-Client-IP: $Collab
CF-Connecting-IP: CF-Connecting_IP: $Collab
X-Originating-IP: X-Originating-IP: $Collab
X-Real-IP: X-Real-IP: $Collab

This stage often reveals SSRF vulnerabilities in web applications that trust user-controlled HTTP headers.

In the third stage, I focus on injecting absolute URLs directly into the requests. Certain web servers extract the hostname from the absolute URL and handle requests based on it. This behavior can be exploited if the server fails to properly validate the URL.

Example:

injecting absolute URL example

If the host header is different from the hostname in the absolute URL, the request may be redirected or handled differently by the server. If these URLs are not properly validated, it can lead to SSRF vulnerabilities.

This vector is particularly useful for cases where applications redirect requests based on the full URL or validate access based on it.

The final stage targets URL parameters where SSRF vulnerabilities often hide. By injecting the Burp Collaborator payload into various parameters, I can discover vulnerabilities that lie deep within the application logic.

Example

https://target-site.com/resource?param1=collaborator-id.burpcollaborator.net&param2=value2

the most common parameters are

?dest=
?redirect=
?uri=
?path=
?continue=
?url=
?window=
?next=
?data=
?reference=
?site=
?html=
?val=
?validate=
?domain=
?callback=
?return=
?page=
?feed=
?host=
?port=
?to=
?out=
?view=
?dir=

But!! By iterating through all possible parameters, this stage ensures that no potential entry point is missed.

Using the above methodology, I was able to discover five SSRF vulnerabilities in the same target. Each vulnerability was identified by carefully analyzing the server’s responses and correlating them with the Burp Collaborator logs.

To streamline the SSRF discovery process, I developed a custom Bash script, 0dSSRF. The script automates the injection of the Burp Collaborator payload across multiple vectors (headers, parameters, absolute URLS) and logs the results.

NOTE: The third stage, you can also use burp intruder, it would be better to catch reflective values or unpredictable behaviors.

automate injecting absolute URL

Multiple Injection Methods: Automatically inject Burp Collaborator payloads into:

Host HeadersCommon Headers (User-Agent, Referer, X-Forwarded-For, etc.)Absolute URLsURL Parameters (with automatic URL extraction)

Flexible Scan Controls: Adjust the delay between requests for rate-limited environments.

Resumable Scanning: Continue from the last session if the scan is interrupted.

Structured Output & Logs: Save all results in a clean, organized directory structure for easy reference.

You can check the full script and more detailed instructions on GitHub:
GitHub: 0dSSRF

I’m eager to hear your feedback and suggestions on how it can be improved.

Monitoring Collaborator: Once you start the scan, check Burp Collaborator for DNS lookups or HTTP requests from the tested domains.

Interpreting Results: Vulnerable subdomains or vectors will appear in the collaborator’s log. For example:

Identifying Vulnerable Subdomains:

subdomain-vulnerable-com >> subdomain.vulnerable.com

Vector Vulnerability Identification:

h for Host Header, a for Absolute URL,p for parameter, in common headers you will find the vulnerable header

For the fourth stage, also requests carry information about the vulnerable server & parameter & time:

Webhook Integration: Automatically collect vulnerable server results using webhook.site.Discord Notifications: Receive real-time Discord alerts when vulnerable domains are detected.Multithreading: Improve performance and reduce system load by implementing multithreading.

The SSRF vulnerability is a serious threat, and the right approach can help you uncover hidden risks. By automating the process with 0dSSRF, you can efficiently test for SSRF and external service interactions.

I hope you found this write-up helpful! Feel free to ask any questions, provide feedback, or suggest improvements for the tool. Happy hacking!

GitHub: 0dSSRF

Read Entire Article