Server-side request forgery (also known as SSRF) is a web security vulnerability that allows an attacker to trick a server application into making HTTP requests to an arbitrary domain of the attacker’s choosing. In typical SSRF examples, an attacker can force a server to establish a reverse connection with itself, or with other web services in the organization’s infrastructure, or with external third-party systems. SSRF attacks often use trust relationships to escalate an attack from a vulnerable application and perform unauthorized actions. A successful SSRF attack can often lead to unauthorized actions or access to data within an organization, both within the vulnerable application itself and other internal systems with which the application may communicate. In some situations, the SSRF vulnerability could allow an attacker to execute an arbitrary command. An SSRF exploit that causes connections to external third-party systems can lead to malicious downstream attacks that appear to originate from the organization that hosts the vulnerable application.
SSRF attacks often use trust relationships to escalate an attack by a vulnerable program and perform unauthorized actions. These trust relationships can exist with respect to the server itself or with respect to other internal systems in the same organization. In a SSRF attack on the server itself, the attacker causes the application to make an HTTP request back to the server hosting the application through the loopback network interface. The trust relationship, where requests coming from the local machine are handled differently than normal requests, is often what makes SSRF a critical vulnerability.
Web crawling is an important aspect of security testing because it is the process of indexing data on web pages using automated scripts or programs. Waybackurls is a Golang based script or tool used to crawl domains and retrieve known URLs from the Wayback Machines, also known as Archives for *.target.com. To know more about waybackurls and installation process you can refer by link.
I found the Bug Bounty program through Google Dorks. Due to their disclosure policy, I cannot name this organization. So let’s call the domain target.com. First, I collected the subdomains using tool subfinder and stored the output in domains.txt. After that I ran tool httpprobe on domains.txt, to get live domains and saved the output in live_domains.txt.
Now I run the following command to collect URLs via waybackurls.
Since I have selected all the URLs in urls.txt, I have run tool httpx for identification status, title, technology status.txt.
I have now sorted all the urls that are live and available and removed all the broken urls. It makes my scouting easier. I opened status.txt and started looking for sensitive information, settings, usernames, passwords, tokens, sensitive files, etc.
Keywords I use: password, username, mail.com, token, access_token, url=, redirect_url=, api, id=, accessUrl=, payment, etc. After 30 minutes of scanning and sorting, I noticed one interesting URL:
My attention was drawn to the parameters “apiEvent” and “accessUrl” I replaced the URL of the parameters with the address of the Burp Collaborator. After replacement, the address looks like this:
I opened this URL in a browser and received DNS and HTTP requests to my server from their internal IP address. I have now done a whois to verify that this IP address belongs to their organization or a third party.
I have received confirmation that the IP address I received is an internal IP address of the organization. Now, to increase the impact, I opened BurpSuite and:
1. Intercepted the same request in Burpsuite (Screenshot 1).
2. Sent it to Intruder.
3. Chose the Pitchfork attack type.
4. Set the position of the payload at the end of 2 URLs (Screenshot 2).
5. Set the cycle to 100 (Screenshot 3).
6. We start the attack (Screenshot 4).
7. I received HTTP, DNS and SMTP requests (Screenshot 5).
I have now received DNS and HTTP requests as well as an SMTP request on my Burp Collab server confirming that I was able to perform an internal port scan using the SSRF vulnerability.