# SSRF

Server-Side Request Forgery (SSRF) is a web security vulnerability that allows an attacker to coerce the server into making requests to arbitrary URLs.

## Tools & Resources

* <https://portswigger.net/web-security/ssrf/url-validation-bypass-cheat-sheet>
* <https://github.com/swisskyrepo/SSRFmap>
* <https://github.com/tarunkant/Gopherus>
* <https://app.interactsh.com/>
* [https://owasp.org/www-project-top-25-parameters](https://owasp.org/www-project-top-25-parameters/#top-25-server-side-request-forgery-ssrf-parameters)

***

## Finding SSRF Vectors

{% hint style="info" %}
If you are facing a BLIND SSRF, use Burp Collaborator, [interact.sh](https://app.interactsh.com/) or similar tools to gain a ping back\
If you are facing a target which validates your input, check out the [PortSwigger Bypass CheatSheet](https://portswigger.net/web-security/ssrf/url-validation-bypass-cheat-sheet)
{% endhint %}

To identify potential SSRF vectors, locate `GET` or `POST` parameters used by the web application to access other resources via explicit or implicit external calls.

{% hint style="success" %}
Other than the standard `http://` and `https://` schemes, it is sometimes possible to leverage SSRF with other URL schemes such as:

* `file://` - Allows reading files from the local file system
* `gopher://` - Allows sending arbitrary bytes to other services, potentially causing remote code execution
  {% endhint %}

The [OWASP top 25 vulnerable parameters list](https://owasp.org/www-project-top-25-parameters/#top-25-server-side-request-forgery-ssrf-parameters), as of the time of writing, contains:

```
?dest={target}
?redirect={target}
?uri={target}
?path={target}
?continue={target}
?url={target}
?window={target}
?next={target}
?data={target}
?reference={target}
?site={target}
?html={target}
?val={target}
?validate={target}
?domain={target}
?callback={target}
?return={target}
?page={target}
?feed={target}
?host={target}
?port={target}
?to={target}
?out={target}
?view={target}
?dir={target}
```

## Using Gopher to send POST data

There is no way to send a POST request with the HTTP URL scheme. Instead, we can use the gopher URL scheme to send arbitrary bytes to a TCP socket. This protocol enables us to create a POST request by building the HTTP request ourselves.

Suppose you want to send a POST request to login.php with username sfoffo and password admin. To send a POST request with that data, you need to URL-Encode all special characters to construct a valid gopher URL. In particular, spaces (`%20`) and newlines (`%0D%0A`) must be URL-encoded.

{% hint style="success" %}
One great tool to generate gopher-based SSRF payload is [**gopherus**](https://github.com/tarunkant/Gopherus)
{% endhint %}

After that, prefix the data with the gopher URL scheme, the target host and port, and an underscore, resulting in the following gopher URL:

{% code overflow="wrap" %}

```
gopher://example.sfoffo:80/_POST%20/login.php%20HTTP%2F1.1%0D%0AHost:%20example.sfoffo%0D%0AContent-Length:%2013%0D%0AContent-Type:%20application/x-www-form-urlencoded%0D%0A%0D%0Ausername%3Dsfoffo%26password%3Dadmin
```

{% endcode %}

***