SSRF bible. Cheatsheet

Posted on Posted in Hacker News, Paper

SSRF Server Side Request Forgery attacks. The ability to create requests from the
vulnerable server to intra/internet. Using a protocol supported by available URI schemas, you can communicate with services running on other protocols. Here we collect the various options and examples (exploits) of such interaction.

Typical attack steps

1. Scan internal network to determine internal infrastructure which you may access
2. Collect opened ports at localhost and other internal hosts which you want (basically by
3. Determine services/daemons on ports using wiki or daemons banners (if you may watch
4. Determine type of you SSRF combination:
○ Direct socket access (such as this example )
○ Sockets client (such as java URI, cURL, LWP, others)
5. In case of direct socket access determine CRLF and other injections for smuggling
6. In case of sockets client, determine available URI schemas
7. Compare available schemas and services/daemons protocols to find smuggling
8. Determine hostbased
auth daemons and try to exploit it

Quelle: Wallarm