What is SSRF

---

Server Side Request Forgery

Exam Preparation

● ●

What do you guys feel like you want to work on What kind of exercises do you guys want for practice. ○

●

I will make some possibly.

Are there any other questions about the exam layout.

Overview ● ● ●

What is Server Side Request Forgery What is the impact How/where does it arise ○

● ● ● ●

Potential entry points

Cloud Hosting - Google Cloud Engine, AWS, Linode, DO Exploiting Local Services Other protocols/protocol smuggling (ftp://, gopher://, expect://) OOB techniques

What is SSRF ● ●

Abhi already told you guys. Where you tell the server to make a request on your behalf.

SSRF in piqturz - normal request

SSRF in piqturz - actual SSRF.

What is the impact? ● ●

Network Isolation Breach Breach of trust boundaries.

SSRF Network Boundary Breach

SSRF Network Boundary Breach

SSRF Network Boundary Breach

SSRF Network Boundary Breach

SSRF Network Boundary Breach

SSRF Network Boundary Breach

Where does it arise. ● ● ●

Where applications include files Where applications preview you content Where applications let you choose somewhere to upload files

Slack link preview

Facebook messenger link preview.

#DEMO

Cloud Hosting ● ● ● ●

AWS - 169.254.169.254 GCE - http://metadata.google.internal Digitalocean - http://169.254.169.254 Linode - Idk, might not be one

#DEMO

Exploiting local services ● ● ●

Services listening only on local ports. Not exposed to the internet Probably unauthenticated.

Common Local Services ● ● ● ● ●

Local Elastic Search Instances - :9200 :9300 Hashicorp Consul - :8500 Jenkins - :8080 Memcached - :11211 Other services - :443, 8080, 8443

Protocol Smuggling

Gopher in a nutshell.

#gophersuxlol ●

●

http://ssrfphp.lecture.ns.agency/?q=gopher%3A%2F%2F192.184.89.99:9998/a%2547%2545%2 554%2520%252f%2520%2548%2554%2554%2550%252f%2531%252e%2531%250a%2548% 256f%2573%2574%253a%2520%2576%252e%256d%2565%2577%2579%252e%2570%2577 %253a%2539%2539%2539%2539

#gophersuxlol ● ●

Sends your data as raw tcp. Lets you craft tcp packets by hand Lets you interact with other protocols (not just HTTP) ○ ○

●

E.g. FTP E.g. MySQL

https://blog.formsec.cn/2018/01/22/SSRF-To-RCE-in-MySQL/ crazy chinese people

Crazy chinese people https://blog.formsec.cn/2018/01/22/SSRF-To-RCE-in-MySQL/

OOB Techniques ● ●

OOB XXE Where you can exfil information by DNS requests. ○

Burp collaborator

2nd Order SSRF ● ●

Where its not immediately obvious Need to go somewhere else to trigger it/view it cached.

Sick Writeups ● ● ● ● ●

http://polynome.co/infosec/inversoft/elasticsearch/linode/penetration-testing/2016/08/16/hack -that-inversoft.html https://www.blackhat.com/docs/us-14/materials/us-14-Novikov-The-New-Page-Of-Injections-B ook-Memcached-Injections-WP.pdf http://blog.orange.tw/2017/07/how-i-chained-4-vulnerabilities-on.html http://blog.safebuff.com/2016/07/03/SSRF-Tips/ https://blog.formsec.cn/2018/01/22/SSRF-To-RCE-in-MySQL/