Beginners Introduction To Server Side Request Forgery

Server-Side Request Forgery (SSRF) is one of the most intriguing vulnerabilities in web security, allowing attackers to manipulate server behavior and access internal resources. Despite being less popular than SQL Injection or Cross-Site Scripting (XSS), SSRF can have severe consequences, from leaking sensitive data to compromising entire infrastructures. Let’s explore what SSRF is, how it works, and how to defend against it.

---

SSRF occurs when an attacker tricks a server into making HTTP requests to unintended locations. These requests are made on behalf of the server, often bypassing traditional firewalls and network restrictions.

Here’s a simple example:

An application fetches external content based on a user-supplied URL.

The attacker inputs a malicious URL e.g.,

tricking the server into making a request to an internal endpoint.

---

SSRF vulnerabilities typically arise in applications that:

Fetch data from user-specified URLs (e.g., image downloaders, webhooks).

Integrate with APIs or third-party services.

Attackers exploit SSRF in the following ways:

1. Accessing Internal Services: Internal services often lack robust authentication. SSRF can exploit this to query databases, access APIs, or connect to cloud metadata endpoints (e.g., AWS metadata service at http://169.254.169.254).

2. Port Scanning: By sending requests to different ports, attackers can map the server's internal network.

3. Data Exfiltration: SSRF can extract sensitive data by redirecting responses to attacker-controlled endpoints.

---

1. Cloud Services Exploitation
Attackers target cloud platforms (AWS, GCP) to retrieve metadata like credentials or instance details.

Example: Fetching AWS credentials from

Servers often have access to internal networks blocked to the outside world. SSRF can bypass these restrictions and access sensitive endpoints

Many internal admin panels are not intended to be exposed externally. An attacker can use SSRF to interact with these panels.

---

Basic Payloads

1. Access Localhost:

2. Access Internal IPs:

Cloud Metadata Exploitation

1. AWS Metadata:

2. Google Cloud Metadata:

3. Azure Metadata:

Attempt to discover open ports:

1. File Protocol:

2. FTP Protocol:

3. gopher Protocol (for advanced chaining):

Send requests to an attacker-controlled DNS server:

Common Payload Variations

1. Bypass Blacklists with Encoding:

2. Use Alternative IP Formats:

---

1. Capital One Data Breach (2019)

In one of the most high-profile SSRF attacks, an AWS misconfiguration was exploited to steal sensitive customer data. The attacker used SSRF to access AWS metadata and retrieve credentials.

2. GitHub SSRF (2020)

GitHub was found to have an SSRF vulnerability in its Actions service, allowing attackers to access internal GitHub infrastructure. It was responsibly disclosed and patched.

---

1. Input Validation

Allow only whitelisted URLs.

Reject requests with local IP ranges (e.g., 127.0.0.1, 10.0.0.0/8, 192.168.0.0/16).

2. Use Network Segmentation

Isolate sensitive resources and ensure the application cannot directly access internal services.

3. Restrict Outbound Requests

Use firewall rules to limit the server's ability to make outbound requests to the internet.

4. Metadata API Protection

In cloud environments, restrict access to metadata APIs using instance metadata service version 2 (IMDSv2) in AWS.

5. Monitor and Log Requests

Log all outgoing HTTP requests and set up alerts for unusual behavior.

---

As a bug bounty hunter, SSRF is a high-priority vulnerability to look out for. Here are some tips:

Test endpoints that accept URLs or fetch external data.

Check for unvalidated redirects or open file handlers.

Explore cloud-based targets and metadata endpoints.

---

SSRF is a powerful vulnerability that attackers can leverage to breach even the most secure infrastructures. By understanding its mechanics and implementing robust defenses, organizations can significantly reduce the risk of exploitation. For security researchers, SSRF offers a fertile ground for discovering impactful bugs, often rewarded generously in bug bounty programs.

---

Did you find this post helpful? Follow me here on Medium for more bug bounty tips, or check out my newsletter for regular insights into web application security. Connect with me on X @Spectatorguy for updates on my latest writeups.