Server-side request forgery (also known as SSRF) is a web security vulnerability that allows an attacker to induce the server-side application to make requests to an unintended location. Reference: here.
In a typical SSRF attack, the attacker might cause the server to make a connection to internal-only services within the organization's infrastructure. In other cases, they may be able to force the server to connect to arbitrary external systems, potentially leaking sensitive data such as authorization credentials. Or an attacker will be able to delete users, transfer money to his account in case of banking web applications, etc.
Today I will just show how to display the content of a text file located at the root of the web application, in this case, I used: "c: \wamp64\www\dvwa".
Here is how I performed the attack:
- Opened BurpSuite, opened the preconfigured browser and the DVWA web application just like what I did in my previous post. I need to login to the DVWA this time, turn on the intercept in Burp Suite, then navigate to the Brute Force Page.
- Burp Suite was able to intercept the web request and right clicked on the intercepted text and clicked the Send To Repeater from the context menu that appeared. You may be asking why navigate to the Burp Suite page, well I was looking for a particular pattern such as the one I hilighted. I need to change it to a command that will enable me to display the contents of the file.
- At the Repeater page, I change the hilighted text as shown in the picture, and clicked the button Send and on the right side panel, the server response was displayed and I hilighted the contents of the text file.
And that concludes my demo for the SSRF.
More advance articles about SSRF:
- PortSwigger - Server-side request forgery (SSRF)
- HackTricks - SSRF (Server Side Request Forgery)
- Okta - Server-Side Request Forgery (SSRF): Definition & Defense
No comments:
Post a Comment