What is SSRF and how to Detect them on Web Application

let’s delve into the nature of SSRF vulnerabilities and how attackers exploit them.

Server Side Request Forgery (SSRF) vulnerabilities occur when an attacker manipulates the requests sent by a web application’s server. This manipulation can be either partial or complete, giving the attacker a degree of control over the request.

One common scenario involves the attacker influencing the URL of a third-party service that the web application interacts with. By manipulating this URL, the attacker can direct the server to make requests to unintended destinations, potentially accessing sensitive information or internal systems that are otherwise protected.

SSRF attacks are particularly concerning because they allow attackers to target resources and services that are not meant to be directly accessible from the internet. This includes internal systems behind firewalls or services that are only intended for local access.

For instance, an attacker might exploit an SSRF vulnerability to make requests to internal databases, file systems, or administration interfaces. They can also abuse the loopback interface (127.0.0.1) to access services running on the same server that hosts the vulnerable application.

To detect and exploit SSRF vulnerabilities, attackers often use specific payloads designed to manipulate server requests. These payloads can include variations of URLs, IP addresses, or other parameters that trick the server into making unauthorized requests.

Overall, SSRF vulnerabilities pose a significant risk to web applications, as they can lead to unauthorized access, data leakage, and potentially compromise critical internal systems. It’s crucial for developers to implement robust security measures to mitigate the risk of SSRF attacks, such as input validation, proper access controls, and regular security assessments.

Here are some more creative and advanced SSRF exploit techniques explained:

### 1. Advanced Exploit Using a Redirection:
1. **Create a Subdomain with DNS A Record:**
— Set up a subdomain like `ssrf.example.com` with a DNS A record pointing to `192.168.0.1`.
2. **Launch SSRF Attack:**
— Exploit a vulnerability in `vulnerable.com/index.php?url=http://YOUR_SERVER_IP`.
— `vulnerable.com` fetches `YOUR_SERVER_IP`, which redirects to `192.168.0.1`.

### 2. Advanced Exploit Using `type=url`:
1. **Change Input Type to URL:**
— Modify input type from `type=file` to `type=url`.
— Users can now upload images from any URL, triggering SSRF.
2. **Exploit with Additional Payload:**
— Insert `http://127.0.0.1:21/?%0A` before the URL parameter to trigger SSRF.

### SSRF Using Various Encoding:
1. **Hex Encoding:**
— Convert `127.0.0.1` to `0x7f.0x0.0x0.0x1`.
— `localhost` becomes `6C6F63616C686F7374`.
2. **Octal Encoding:**
— Translate `127.0.0.1` to `0177.0.0.01`.
3. **Dword Encoding:**
— Represent `http://127.0.0.1` as `http://2130706433`.
4. **URL Encoding:**
— Encode `http://localhost` as `http://%6c%6f%63%61%6c%68%6f%73%74`.
5. **Complex URL Encoding:**
— Employ complex URL encoding in URLs to obfuscate payloads.
6. **Dotted Decimal with Overflow:**
— Craft URLs like `http://425.510.425.510/` to exploit overflow vulnerabilities.
7. **Dotless Decimal:**
— Use dotless decimal notation like `http://2852039166/` for SSRF exploitation.

These techniques demonstrate the versatility of SSRF vulnerabilities and highlight the importance of thorough input validation and security measures to prevent exploitation.