Date : 04 Mar, 2025

Overall SSRF Summary

What is SSRF (Server-Side Request Forgery)?

SSRF is a security flaw in web applications where an attacker can manipulate the server to make HTTP requests to unintended destinations.1 Essentially, the attacker tricks the web server into acting as a proxy to access resources that the attacker themselves cannot directly reach.

Here's a simpler way to think about it:

Imagine a web server that needs to fetch information from another website or internal system to display it to you. With an SSRF vulnerability, an attacker can change the instructions given to the web server, making it request data from places it shouldn't, like:

• Internal services: Accessing sensitive configuration files or internal applications that are not meant to be public.
• External systems: Potentially attacking other websites or services from the vulnerable server, making it appear as if the requests are coming from a legitimate source.

Goal of the Labs

• Access the internal admin interface

• Delete a user named carlos by triggering a request to:
  http://localhost/admin/delete?username=carlos

• Learn how to bypass protections, trick the server, and exploit trust in internal networks

Lab 1: Basic SSRF against localhost

• Feature: "Check stock" made backend requests using a stockApi parameter.

• Goal: Make the server fetch http://localhost/admin

• Steps:

  • Intercept the request in Burp Suite.
  • Change stockApi=http://localhost/admin
  • Identify and submit the delete URL via SSRF: stockApi=http://localhost/admin/delete?username=carlos

✅ Key concept: Direct SSRF to localhost (127.0.0.1)

Lab 2: SSRF with IP Range Scan

• Blocking: Direct requests to localhost were blocked.
• Bypass: Scanned internal IPs like 192.168.0.1 to 192.168.0.255 using Burp Intruder
• Found a working admin interface at something like http://192.168.0.12/admin
• Used that to delete carlos

✅ Key concept: Internal IP range scan + identifying trusted internal service

Lab 3: SSRF with obfuscated localhost

• Problem: 127.0.0.1 and /admin were blacklisted

• Bypass:

  • Used loopback alias: http://127.1/
  • Double-encoded path: http://127.1/%61dmin (%2561 = double-encoded "a")

• This tricked the server into accessing /admin

✅ Key concept: Obfuscating internal URLs to bypass filters

Lab 4: SSRF via Open Redirection

• Blocking: Couldn’t directly access internal IPs

• Found that /product/nextProduct?path=... had an open redirect vulnerability

• Used redirection to chain SSRF:

  stockApi=/product/nextProduct?path=http://192.168.0.12/admin

• Then redirected to delete carlos

Key concept: SSRF via chained open redirect

Key Learnings

• Internal IPs like 127.0.0.1, 192.168.x.x are trusted by servers.

• SSRF can be exploited to access sensitive internal functionality, even if it's not meant for users.

• Input filters can be bypassed using:

  • Alternate IP formats (127.1)
  • URL encoding and double encoding
  • Chained open redirects
  • IP range brute forcing

Real-World Risk

• Access internal dashboards, cloud metadata, file systems
• SSRF can lead to Remote Code Execution (RCE) or full server takeover
• Common in cloud, microservices, or internal API environments