Server-Side Request Forgery (SSRF) refers to an attack, wherein an attacker can send a crafted request from a vulnerable web application. SSRF is mainly used to target internal systems behind WAF (web application firewall), that are unreachable to an attacker from the external network. Additionally, it’s also possible for an attacker to mark SSRF, for accessing services from the same server that is listening on the loopback interface address called (127.0.0.1).
Typically, Server Side Request Forgery (SSRF) occurs when a web application is making a request, where an attacker has full or partial control of the claim that is sent. A typical example is, when an attacker can control all or part of the URL to which the web application makes a request to some third-party services, and here I have captured the parameter of file= URL, and I tried to perform this server-side forgery attack.
In the above figure, the perpetrator forges a request for a fund transfer website, and he embeds it into the visitor site. When the visitor logs the website for the transaction and clicks the perpetrator created link, it eventually redirects to the Perpetrator site, and the amount is transferred to his account.
By this attack, an attacker can gather information about ports, IP addresses, Remote code execution and can also discover the IP addresses of servers running behind a reverse proxy etc.
For example, I have tried SSRF attack on a testing site for your reference.
Vulnerable site: http://testphp.vulnweb.com/
In Burp Suite, I have checked for some different redirection parameter other than URL=, and in the search field, I have tried with various parameters and using this parameter of file= and here, I have captured the request of the particular path and had sent it to the repeater.
Request is captured from the search file in the repeater, and here in file feed, a .jpg file is available. Now, I had removed the file and entered a third party URL on file Redirected URL: https://www.expressvpn
Once I click on Go to capture response, the response is changed to expessvpn.com, and you can see the IP of the testphp.vulnweb.com. But in the render page, you can see the expressvpn.com site getting loaded as follows.
PREVENTION FROM SSRF:
Generic error messages should be displayed to every client, as unhandled responses might end up in revealing sensitive information or data leakage about the server, when any other raw response or different parameter is used.
URL schemes other than HTTP and HTTPS should be blacklisted. Instead, these two mentioned protocols should be whitelisted thereby not allowing different schemes which are not in use like file:///, direct://, feed://, touch:// and FTP://, which might prove to be dangerous for SSRF.
Hence, the Server Side Request Forgery attack has been made from the server side and the required web page has been redirected to some other web pages and to prevent from such types of attacks, allow only the particular subdomains of the required web page and then whitelist the other web pages that are not in use.
To educate these valuable measures and to implement a strong security quality, a legitimate company which provides strong security of cult quality is mandatory. We emulously focus on encumbering the cyber threats and we upgrade your security standards till they reach their borders of Elysium. To know more about us, contact us at any time for experiencing a euphoric security service.