Server-Side Request Forgery (SSRF) is a critical web vulnerability where an attacker trick a server-side application into making HTTP requests to an arbitrary domain of the attacker’s choosing.
In a cloud-heavy world, SSRF is the “portal” that lets an attacker jump from the public internet into the internal management network of a company.
How SSRF Works
Normally, a server might fetch an image or data from a URL you provide (like a profile picture). An attacker exploits this by providing a local or internal URL instead of a public one.
-
The Target: The internal network (e.g.,
http://localhost,http://192.168.1.1) or cloud metadata services. -
The Goal: To access internal services that aren’t exposed to the internet, such as databases, internal admin panels, or IAM credentials.
SSRF and the “Holy Grail”: Cloud Metadata
This is the most common attack scenario you’ll see in your PenTest+ studies. Most cloud providers have an internal Metadata Service (IMDS) that provides info about the instance, including temporary IAM credentials.
By using SSRF to query these local addresses, an attacker can steal the server’s identity:
-
AWS:
http://169.254.169.254/latest/meta-data/iam/security-credentials/[role-name] -
Azure:
http://169.254.169.254/metadata/instance?api-version=2021-02-01 -
GCP:
http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token
Types of SSRF
| Type | Description |
|---|---|
| Basic SSRF | The server returns the response from the internal request back to the attacker (e.g., showing the contents of a local file). |
| Blind SSRF | The server makes the request, but the response isn’t shown to the attacker. You have to confirm it works by monitoring for out-of-band traffic (using a tool like Burp Collaborator). |
Server-Side Request Forgery (SSRF)
📝 Overview
What it is: A vulnerability where an attacker forces a server to make a request to an internal or external resource it wasn’t intended to access. Target Phase: attack / Enumeration Operating System: Web Applications (Platform Independent)
⚙️ Core Capabilities
- Internal Scanning: Using the vulnerable server as a “proxy” to scan the internal network for open ports.
- Credential Theft: Accessing cloud metadata services to steal IAM Role tokens.
- Bypassing Firewalls: Reaching services that are IP-restricted to only allow local traffic.
💻 Essential CLItool options
| Tool | Purpose |
|---|---|
| Burp Suite | The primary tool for finding and exploiting SSRF. |
| curl | Used to manually test URL parameters for redirection. |
| Gopherus | Generates Gopher payloads to exploit SSRF for RCE in various services. |
🏷️ Tags
SSRF attack WebSecurity CloudSecurity IAM PenTestPlus CLItool