Intro to SSRF

1. What is SSRF?

A brief description of Server-Side Request Forgery, types of SSRF attacks and the impacts.

This then includes an example of how SSRF works and a small challenge to get a flag using SSRF.

I won't go into detail but this was the end result that allowed me to get the flag and the server request.

The &x= stops the remaining path from being appended to the end of the URL. and instead turns it into a parameter on the query string.

https://website.thm/item/2?server=server.website.thm/flag?id=9&x=

2. Finding an SSRF

The next section talks about different ways to find SSRF attacks e.g. when full url paths are used as parameters, a hidden form field, a partial url like the hostname or just the path of the url and then explains that tools such as external HTTP logging tools cane be used to monitor requests such as requestbin.com, your own HTTP server or Burp Suite.

3. Defeating Common SSRF Defences

This section talks about how to defeat common SSRF defences such as Allow Lists, Block Lists and Open Redirects.

Their explanation of Defeating Common SSRF Defences

4. SSRF Practical

Now the practical exercise of the room has us go to a URL and access a hidden new account page that has a SSRF vulnerabity on it. We first have to make an account and navigate to the new-account-page we then view the page source to see the avatars we can select have a form field value that contains the path to the image.

Avatar form field value with link to image

When we select an avatar and update it it shows our currently selected avatar above these images which when you view the source shows the data URI scheme and the image content base64 encoded.

Image contents base64 encoded

We know the directory we want to get to is called /private so we can edit the value of one of the avatars form inputs to this, select it and update the avatar. Unfortunatly we get an error that says the URL cannot start with /private so we know that the website is using a Deny List to block access to this endpoint.

To bypass this we can use path traversal to go 1 level up in the file hierarchy and get to the path using the same method we did before.

Using path traversal to get to the location we need

One we update the avatar we can see that it worked and we can get the contents of this by base64 decoding the value.

Base64 encoded flag
Decoded flag
PreviousFile InclusionNextIntro to Cross-site Scripting

Last updated