SSRF Server Side Request Forgery attacks. The ability to create requests from the
vulnerable server to intra/internet. Using a protocol supported by available URI schemas, you can communicate with services running on other protocols. Here we collect the various options and examples (exploits) of such interaction.
Typical attack steps
1. Scan internal network to determine internal infrastructure which you may access 2. Collect opened ports at localhost and other internal hosts which you want (basically by timebased determination) 3. Determine services/daemons on ports using wiki or daemons banners (if you may watch output) 4. Determine type of you SSRF combination: ○ Direct socket access (such as this example ) ○ Sockets client (such as java URI, cURL, LWP, others) 5. In case of direct socket access determine CRLF and other injections for smuggling 6. In case of sockets client, determine available URI schemas 7. Compare available schemas and services/daemons protocols to find smuggling possibilities 8. Determine hostbased auth daemons and try to exploit it