Server-Side Request Forgery (SSRF) Attack Detailed Explanation

Server-Side Request Forgery (SSRF) Attack Detailed Explanation

1. Attack Description
Server-Side Request Forgery (SSRF) is a security vulnerability where an attacker tricks a server into making malicious requests to unintended targets. By exploiting this vulnerability, attackers can access sensitive resources local to the server (such as internal network services), scan the internal network topology, and even use the server as a springboard to attack third-party systems. SSRF commonly occurs in features that require requesting external URLs (such as web crawlers, file downloads, Webhook callbacks, etc.).

2. Attack Principle

  • Cause of Vulnerability:
    The application does not strictly validate user-provided URLs (e.g., protocol, domain, path), allowing the server to be manipulated into requesting arbitrary addresses.
  • Key Risks:
    1. Access Internal Systems: Servers are often located within internal networks and can access services behind firewalls (e.g., database management interfaces, unauthorized Redis access).
    2. Protocol Abuse: Exploit protocols like file://, dict://, gopher:// to read local files or interact with internal services.
    3. Bypass Defenses: Requests made through the server's IP can bypass IP whitelists or authentication mechanisms.

3. Attack Steps Example
Assume an online tool offers a "Webpage Screenshot" feature where the server visits a user-input URL to generate an image.
Step 1: Probe for Vulnerability
The attacker inputs an internal network address (e.g., http://192.168.1.1:8080). If the server returns the response content from the internal service, an SSRF vulnerability exists.

Step 2: Expand Attack Surface Using Protocols

  • Read Local Files:
    Input file:///etc/passwd; the server may return the contents of sensitive system files.
  • Scan Internal Network Ports:
    Attempt to request http://192.168.1.1:22; determine port openness based on response time or error messages.

Step 3: Construct Advanced Attacks
Use the gopher:// protocol to send custom TCP packets (e.g., to attack an internal Redis service):

gopher://192.168.1.10:6379/_*1%0d%0a$8%0d%0aflushall%0d%0a*3%0d%0a$3%0d%0aset%0d%0a$1%0d%0a1%0d%0a$10%0d%0aevilcode%0d%0a*4%0d%0a$4%0d%0asave%0d%0a

This payload sends commands to Redis, writing malicious data.

4. Defense Measures

  • Input Validation:
    • Prohibit user input containing internal IPs or domains (e.g., 192.168.0.0/16, localhost).
    • Restrict protocols to only HTTP/HTTPS.
  • URL Mapping:
    Map user-input URLs to whitelisted domains or IPs, avoiding direct requests.
  • Network Layer Protection:
    • Restrict outbound traffic from the server, prohibiting access to internal network segments.
    • Use a proxy server configured with target address filtering.
  • Principle of Least Privilege:
    Run server processes using low-privilege accounts to reduce the risk of local file reading.

5. Advanced Techniques and Bypass Methods

  • Redirect Bypass:
    The attacker controls a public domain that returns a 302 Redirect to an internal address; some applications follow the redirect.
  • DNS Obfuscation:
    Use domains like xip.io (e.g., 192.168.1.1.xip.io) to bypass simple string filtering.
  • IPv6 or Special Formats:
    Exploit formats like [::ffff:127.0.0.1] or octal IPs (0300.0250.0.1) to evade detection.

Understanding the attack chain and defense logic of SSRF allows for a more comprehensive assessment of application security.