What is Server-Side Request Forgery (SSRF) ?
SSRF is when you, as an attacker, successfully make the application triggering arbitrary requests.
Server-Side Request Forgery (SSRF) is basically correlated with other vulnerabilities a lot of times, for example:
XXE with SSRF:
<?xml version="1.0"?> <!DOCTYPE foo [ <!ELEMENT foo (#ANY)> <!ENTITY xxe SYSTEM "http://localhost">]><foo>&xxe;</foo>
Host Header Injection with SSRF:
GET / HTTP/1.1 Host: localhost
HTML Injection with SSRF:
ImageMagick SSRF in HLS Processing:
#EXTM3U #EXT-X-MEDIA-SEQUENCE: 0 #EXTINF:10.0, http://localhost #EXT-X-ENDLIST
Why is that dangerous?
Let’s assume you are hosting an application on port 80/443 externally, and the administrative panel is being hosted on port 8008 internally. Through SSRF, you can send arbitrary requests to the administrative panel hosted internally.
Different Types of Server-Side Request Forgery
There are mainly 3 different types of Server-Side Request Forgery (SSRF) that you must be aware of:
- Normal Server-Side Request Forgery (SSRF): You can see the response of the SSRF request in your browser/interceptor.
- Blind Server-Side Request Forgery (SSRF): You cannot see the response of the SSRF request directly as in a normal SSRF, but you will be able to execute actions blindly. In order to validate a blind SSRF, it would be recommended to set up a listener and firstly send the SSRF payload as your listener address, and check if it catches something.
- Time-based Server-Side Request Forgery (SSRF): The application will respond with an observable discrepancy within response time for requests going to existing or not existing internal resources.
Top 25 Server-Side Request Forgery (SSRF) Bug Bounty Reports
The reports were disclosed through the HackerOne platform and were selected according to their upvotes, bounty, severity level, complexity, and uniqueness.
Title: SSRF in Exchange leads to ROOT access in all instances
Title: Full Read SSRF on Gitlab’s Internal Grafana
Title: SSRF on project import via the remote_attachment_url on a Note
Title: FogBugz import attachment full SSRF requiring vulnerability in *.fogbugz.com
Title: GitLab::UrlBlocker validation bypass leading to full Server Side Request Forgery
Title: Server Side Request Forgery (SSRF) at app.hellosign.com leads to AWS private keys disclosure
Title: Unauthenticated blind SSRF in OAuth Jira authorization controller
Title: Blind SSRF on errors.hackerone.net due to Sentry misconfiguration
Title: Server Side Request Forgery mitigation bypass
Title: SSRF in CI after first run
Title: External SSRF and Local File Read via video upload due to vulnerable FFmpeg HLS processing
Title: Unsafe charts embedding implementation leads to cross-account stored XSS and SSRF
Company: New Relic
Title: SMB SSRF in emblem editor exposes taketwo domain credentials, may lead to RCE
Company: Rockstar Games
Title: SSRF on https://qiwi.com using “Prerender HAR Capturer”
Title: Blind SSRF in emblem editor (2)
Company: Rockstar Games
Title: SSRF — Unchecked Snippet IDs for distributed files
Title: Unauthenticated SSRF in jira.tochka.com leading to RCE in confluence.bank24.int
Title: SSRF chained to hit internal host leading to another SSRF which allows to read internal images.
Title: SSRF on image renderer
Title: SSRF in webhooks leads to AWS private keys disclosure
Title: SSRF In Get Video Contents
Title: SSRF in api.slack.com, using slash commands and bypassing the protections.
Title: SVG Server Side Request Forgery (SSRF)
Title: Blind SSRF on https://labs.data.gov/dashboard/Campaign/json_status/ Endpoint
Company: GSA Bounty
Bonus: 10 Zero Dollars SSRF Reports
Title: My Expense Report resulted in a Server-Side Request Forgery (SSRF) on Lyft
Title: SSRF on duckduckgo.com/iu/
Title: XXE Injection through SVG image upload leads to SSRF
Title: Sending Emails from DNSDumpster — Server-Side Request Forgery to Internal SMTP Access
Company: Hacker Target
Title: SSRF in alerts.newrelic.com exposes entire internal network
Company: New Relic
Title: Server-Side Request Forgery (SSRF) in Ghost CMS
Company: Node.js third-party modules
Title: Blind SSRF in “Integrations” by abusing a bug in Ruby’s native resolver.
Title: SSRF vulnerability on ██████████ leaks internal IP and various sensitive information
Company: U.S. Dept Of Defense
Title: Bypass for blind SSRF #281950 and #287496
Company: Cloudflare Vulnerability Disclosure
Thanks very much and hope that you found this article helpful!