Overview of Server-Side Request Forgery

Server-Side Request Forgery (SSRF) is a security vulnerability where an attacker can induce a server-side application to make HTTP requests to an arbitrary domain of the attacker's choosing. This flaw typically arises when an application fetches a remote resource without properly validating user-supplied URLs.

Common PHP functions that can lead to SSRF if misused include file_get_contents(), fsockopen(), and curl_exec().

Potential Impacts of SSRF

1. Internal Network Reconnaissance: Probing internal network services and infrastructure.
2. Attacks on Internal Services: Targeting vulnerable services within the internal network or on localhost.
3. Local File Read via file:// Protocol: Accessing sensitive local files.
4. Fingerprinting Internal Web Applications: Identifying software, frameworks, and versions running on internal hosts.
5. Port Scanning: Determining open ports on internal systems.

Key Protocols and Tools for SSRF Exploitation

Gopher and Dict Protocols

• Gopher Protocol: A flexible protocol that can be leveraged in SSRF attacks to interact with various services like FTP, Telnet, Redis, and Memcache. It can also craft GET and POST requests.
• Dict Protocol: The Dictionary Server Protocol (RFC 2229), which typical listens on port 2628. It can be used to retrieve information from services supporting the protocol.
• Redis Service: Often runs on its default port, 6379.

The cURL Command-Line Tool

cURL is a command-line utility for transferring data with URLs. Its basic usage for a GET request is:

curl https://www.target-domain.com

The -v (verbose) flag is useful for debugging and observing the full request/response cycle, which can be exploited in SSRF contexts:

1. Reading files with file://:

   curl -v file:///etc/passwd
   

2. Interacting via FTP:

   curl -v "ftp://internal-host:21/"
   

3. Querying with Dict:

   curl -v "dict://127.0.0.1:2628/info"
   

4. Using Gopher:

   curl -v "gopher://127.0.0.1:6379/_INFO%0D%0A"
   

Common SSRF Exploitation Techniques

Technique 1: File Reading Functions

PHP's file() and file_get_contents() functions both read file contents but differ in output format. file() reads a file into an array (each line an element), while file_get_contents() reads the entire file into a single string. The latter is often the preferred method and a common source of SSRF.

Technique 2: Internal Network Probing and Attacks

1. Accessing Public Resources: A simple test using a normal URL parameter like ?url=http://example.com/robots.txt.
2. Port Scanning: By requesting dict:// or other protocols to internal IPs and different ports, one can infer port status based on server response (error vs. banner information).
   • Example: ?url=dict://172.16.1.10:3306
3. Reading Local Files: Using the file:// protocol to access system files.
   • Example: ?url=file:///C:/Windows/System32/drivers/etc/hosts
4. Internal Application Fingerprinting: Identifying software on internal hosts by requesting known paths (e.g., ?url=http://internal-web/phpmyadmin/README).
5. Attacking Internal Applications: Exploiting known vulnerabilities (e.g., command injection in Struts2, weak credentials) in internal services accessible via HTTP/HTTPS.

Practical Demonstration Scenarios

Scenario 1: SSRF via cURL Implementation

A vulnerable application might use user input directly within a curl_exec() call. An attacker can modify the URL parameter to:

• Redirect the server's request to an external domain.
• Probe internal network addresses (http://192.168.1.10:8080).
• Scan internal ports by observing response differences.

With out proper input validation and filtering, the server becomes a proxy for internal network reconnaissance.

Scenario 2: SSRF via file_get_contents()

When file_get_contents() is used with user-controlled input, attackers can leverage PHP wrappers.

A common exploit involves the php://filter wrapper to read the source code of server-side scripts:

http://target-site/vuln.php?file=php://filter/read=convert.base64-encode/resource=index.php

This request encodes the index.php file in base64, which can then be decoded to reveal the source code, potentially exposing other vulnerabilities or sensitive logic.

Deefnsive Strategies Against SSRF

1. Protocol Allowlisting: Restrict requests to only necessary protocols (e.g., http and https). Block file://, gopher://, dict://, etc.
2. IP Address Restriction: Implement an allowlist of permitted domains or IP ranges. Deny requests to internal (RFC 1918), loopback, or link-local addresses.
3. Port Restriction: Limit outbound connections to standard web ports (e.g., 80, 443).
4. Resposne Validation: Inspect and filter the content returned from the remote resource before relaying it to the user.
5. Uniform Error Handling: Use generic error messages for all failed requests. Disable HTTP redirect follows (30x responses) in the server's fetching functon to prevent attackers from chaining requests to bypass filters.