Hacking with SSRF: A Deep Dive into Server-Side Request Forgery
Intro : Hello Hacker’s 👋. Hope all fine. Today I will discuss about SSRF Vulnerability and how to bypass SSRF restriction to fetch Sensitive Data from the Internal Server. This is performed on Lab environment (Created by NahamSec) but can be applicable for Real life scenarios. So let’s dive into it.
Finding SSRF Endpoint :
Finding an SSRF endpoint can be tough. It can be either in URL section or in Internal server interaction or can be in Referer Header. So here this our Web Application.
It is a shopping Platform. After viewing 1 item it looks like this.
Here I can either add this in my Basket or check the Stock. So I clicked on Check Stock. It fetches the response from another Server : stock.nahamstore.thm. 56 in Stock. Here we can try SSRF. [ As it is interacting with another Server ]
After changing the Server to 127.0.0.1 it shows no Response. [ Server Invalid ]. So it is blocking any Internal Server interaction for Security purpose.
Here we can try common bypass technique with @ .
However after trying stock.nahamstore.thm@127.0.0.1 it shows 404 means no server exists with this name.
But after adding # sign at last the Response differ from Previous. It shows the Application Home page. It means this bypass works.
Exploiting SSRF :
This is enough to show that SSRF present here. But to show further Impact we have exfiltrate Sensitive data with SSRF ( Or can be done Port Scanning ). So we have to find any server that is running internally which may contain Sensitive Data.
After fuzzing the endpoint nahamstore.thm I have found this Endpoint : internal-api which contains something Interesting. It listed /order.
After moving into the Folder it shows all the Order id of other Users which is Dangerous.
You can see User’s Mail, Credit Card number and other Information which is much Sensitive.
So in this way SSRF vulnerability can be Exploited. Hope you have learnt something new.
THANKS FOR READING!
If you enjoy this don’t forget to Like it and Follow me for more Articles.
Linkedin Profile → https://www.linkedin.com/in/subhankar-paul-332085254/
Happy Hacking~
