If you are not already familiar with the concept of “Server-Side Request Forgery (SSRF)”, we suggest that you review “What Is Server-Side Request Forgery?“.
Blackbox testing for SSRF can be very difficult if you do not have insight into what services are accessible and their APIs. Fuzzing parameters is about all you can do in the absence of design insight, but watching carefully for responses other than 404 might be a tip-off that there are other accessible back-end services available.
Whitebox testing means you will see to it that you are armed with sufficient knowledge about accessible services that you can intelligently fuzz the target domain and query parameters to attempt to broaden the scope of communication between the website and back-end services.
Manually detecting Server-Side Request Forgery vulnerabilities involves making a careful examination of HTTP Requests, seeking inputs (parameters and headers) whose values are whole or partial URL references to other internal resources within or external to the application. Note that such references may be partial, intended to be assembled into full URLs by the application, but it may also be the (easier) case in which full URLs are passed as inputs. Any such parameter is a candidate for testing as a potential Server-Side Request Forgery vulnerability.
Using a web-proxy, each candidate parameter is then assigned a “sentinel” value representing an internal site or operation outside the normal purview of the application. Consequent changes in application behavior such as access to unauthorized content, or execution of unauthorized services is clear evidence of a Server-Side Request Forgery vulnerability.
Note that any Open Redirect or Open Forward vulnerabilities detected should also be tested with internal URLs, and any SSRF vulnerabilities checked with external URLs.
For additional insight on how to prevent and fix Server-side Request Forgery vulnerabilities, please see the article entitled “How To Prevent Server-Side Request Forgery“.
About Affinity IT Security
We hope you found this article to be useful. Affinity IT Security is available to help you with your security testing and/or to train your developers and testers. Contact us to learn how to partner with us to protect your enterprise.
Although every effort has been made to provide the most useful and highest quality information, it is unfortunate but inevitable that some errors, omissions, and typographical mistakes will appear in these articles. Consequently, Affinity IT Security will not be responsible for any loss or damages resulting directly or indirectly from any error, misunderstanding, software defect, example, or misuse of any content herein.