Bug Hunting: SSRF attack

What is SSRF attack?

I have always been curious about finding out SSRF vulnerability. This was the one the bugs that I have recently identified in my target application.

Enumeration:

When I was checking the target application, I will normally look for any URL redirection parameter. This can be identified in multiple ways.

URL query parametersSearch for URL/redirect/http/.com string values in burpsuite sitemapUse waybackurl tool to identify any historic links have any redirection parameter or not.

4. Look at your request and responses for the redirection parameter

I have found the redirection parameter in the response body when I was fiddling around with the request.

Attack scenario:

Pre-requisite: Get burp collaborator client ready and running and keep the domain values generated out of the collaborator.

What is burp collaborator?

How to burp collaborator?

Initially, login to the target application and edit the profileIntercept the RESPONSE via burpsuite and inject the payload in “redirectUrl” parameterThe target server was making a request to a burp collaborator. Eventually, the ip address of the server was identified.Next using this server IP details let us try to scan the portsFirst, check for port 22. Try to inject “http://106.***.**.*:22" in “redirectUrl” parameter and the application was providing the responses differently

Since, the application is directly delivering the results, the attacker needs to analyse the response behaviour and identify the open ports.

Scenario: Port 443 is open

Let us check how the application server responds to an open port. Now, I have provided port 443 along with the IP address in the redirectUrl parameter.

ip:443 given in redirectUrl parameter

The below response was shown in the browser.

Port is open

Since the port was open and http were given, the application server was saying to secure the connection.(It means to switch from http to https)

Scenario: Port 22 is closed

As we can see there are different sorts of behaviors by application servers.

Timeline:

Submitted on 29 Apr 202013 Mar 2020 marked as a duplicate13 Mar 2020 provided more submission for blind SSRF14 Mar 2020 bug accepted as Server-Side Request Forgery (SSRF).