Server Side Request Forgery (SSRF)

Introduction

Server-Side Request Forgery (SSRF) is a vulnerability in which it is possible for an attacker to generate a request which will be initiated by the application. This can then be leveraged to make request to third party systems.

• Port scanning on the internal network, via the vulnerable target
• Access applications running on intranet or local network
• Use the vulnerable target as a proxy and talk to third party applications on the internet
• Use the file protocol to read local files from the underlying operating system

Details

Certain APIs or RPC services might provide the function of obtaining data from other API/application in form for a HTTP request parameter. In these cases, it might be possible to leverage the API to perform actions such as port scanning.

An XML-RPC service is available within port 9090 of the dvws-node application. Within the dvws-node application, a hint regarding usage of this XML-RPC service is shown within the code comments of http://dvws.local/error.html. This information can also be found by brute forcing the http://dvws.local:9090/xmlrpc server directly.

POST /xmlrpc HTTP/1.1
Host: dvws.local:9090
User-Agent: Mozilla/5.0
Content-Type: text/xml
Connection: close

<?xml version="1.0"?>
<methodCall>
  <methodName>system.listMethods</methodName>
  <params/>
</methodCall>

A dvws.CheckUptime XML RPC method is available which makes a request to the http://127.0.0.1/uptime endpoint to retrieve system uptime information.

POST /xmlrpc HTTP/1.1
Host: dvws.local:9090
User-Agent: Mozilla/5.0
Content-Type: text/xml
Content-Length: 230
Connection: close

<?xml version="1.0"?>
<methodCall>
  <methodName>dvws.CheckUptime</methodName>
  <params>
    <param>
      <value>
        <string>http://127.0.0.1/uptime</string>
      </value>
    </param>
  </params>
</methodCall>

The <param><value><string> element value can be changed to make requests to other entities.