AppSec Tales XVII | SSRF

Application Security Testing for the Server Side Request Forgery.

INTRODUCTION

The article describes how to test the application to find Server Side Request Forgery vulnerabilities. The advice in this article is based on the following:

• OWASP Web Security Testing Guide
• OWASP Application Security Verification Standard
• Bug bounty reports
• Own experience.

TOOLING

Tools with basic usage & wordlist used for SSRF detection.

STANDALONE TOOLS

• SSRFmap— SSRF semi-automatic discovery and exploitation tool.

I am not using it due to problems with JSON parsing and the need to specify injection points manually. However, I decided to share it here in case it may be helpful to someone else and if the tool improves in the future.

• internal_ip_addr_disclosure.py — script for detecting internal IP leak.

Source: Own study — Script options.

• ffuf — web fuzzer written in GO.
• Nessus & Burp Suite Professional automatic scanners.

I have described how to use above automatic scanners in another article:

Infrastructure testing with MSF

BURP SUITE PRO EXTENSIONS

• Burp Bounty Pro — additional automatic scanning capabilities.

Source: Own study — Using Burp Bounty Pro tag scanning capabilities.

WORDLISTS

• SSRF —designed to find SSRF vulnerabilities. This wordlist contains (schemes.txt+hosts.txt), SSRF_unique.txt and RFI payloads.
• single-char — stack trace detection.
• common_TCP_ports.txt — top 1000 TCP ports.