1. Vulnerability Description#
SSRF (Server-Side Request Forgery) is a security vulnerability where attackers construct requests that are initiated by the server. In general, the target of SSRF attacks is internal systems that are not accessible from the internet (because the request is initiated by the server, the server can access internal systems connected to it but isolated from the internet).
2. Vulnerability Principle#
The formation of SSRF vulnerabilities is mostly due to:
The server provides functionality to fetch data from other server applications and does not filter or restrict the target address
For example, an attacker manipulates the server to fetch website content from a specified URL.
3. Exploitation Methods#
- Scan ports on the internal network or localhost to obtain banner information of port services
- Attack applications running on the internal network or localhost
- Fingerprint scan internal web applications to obtain asset information within the enterprise
- Read sensitive files using the file protocol
4. Protocols Supported by SSRF#
1. HTTP Protocol#
Use the HTTP protocol for internal port scanning, determining port openness based on response time and length
https://ip/ssrf.php?url=http://127.0.0.1:3389
2. File Protocol#
Read file information using the file protocol
https://ip/ssrf.php?url=file:///etc/passwd
3. Dict Protocol#
Detect service information using the dict protocol
https://ip/ssrf.php?url=dict://127.0.0.1:3306
4. Gopher Protocol#
Probe ports using the gopher protocol, send GET requests, and attack Redis services
https://ip/ssrf.php?url=gopher://127.0.0.1:3306
5. Vulnerability Defense#
- Disable redirects
- Filter return information
- Prohibit unnecessary protocols
- Set URL whitelist
- Standardize error messages