SSRF

Server-side request forgery

Cause server-side application to make requests to an unintended location. Normally is use to make the application send request to the localhost, attacking this way the server.

This potential vector to escalate privileges often making SSRF a critical vulnerability.

This way a request to /admin even from a API with less privileges would be able to access the URL as the request comes from a trusted source.

Example of API sending the original request and the malicious one:

#Initial API status

stockApi=http://stock.shop.com:8080/product/stock/check%3FproductId%5%26storeId%2B

#Malicious One pointing to the local host and the admin 
stockApi=http://localhost/admin

This vector is possible to the normal behaviour of the servers:

A way of authentication there is need to be put in place and the APIs need those permission not only to be able to work, also for recovery purposes.
Is important to be able to locate the API's Ports and determine which interfaces are communicating with the admin panel, normally this should not be possible to be done from an user level.

SSRF can be also use to attack other system back-ends. Often those systems have different interfaces with different IP addresses, sometimes there are internal back-end that can be accessed without authentication. Finding the admin interface could allow the attacker to access the admin panel by similar attack like before

stockApi=http://192.168.0.68/admin

PreviousIDOR NextHTTP/HTTPS

Last updated 3 months ago