In the previous post we gave an introduction to Server-Side Request Forgery (SSRF) which included some examples. In this post there will be a demo to show how it works.

Firstly, we have the following code. This code, written in PHP acts as the external URL in which the general public would have access to, and it simply checks for the ‘url’ parameter and uses the file_get_contents function to show the requested file.

We then run two servers’ side-by-side.

Please note that localhost is used here for an example, however in a proper web application this URL would be an external one:

When entering a file that is likely to exist, this will be shown within the browser. The following screenshot shows the file http://localhost:8000/index.php?url=/etc/passwd being included, which technically is known as a Local File Include (LFI) which was mentioned in the previous post:

From here if we take the above URL and change it to http://localhost:8000/index.php?url=http://localhost:8001 our external URL on port 8000 is then making a request to the internal URL running on port 8001 in which generally shouldn’t be accessible:

As you might see, this is also like a Remote File Include (RFI). However, the difference here is that instead of including a file that is local or remote, SSRF is the way of accessing internal services which wouldn’t otherwise be available. 

Of course, this simple example doesn’t really show the extent of the damage SSRF’s can do. However, depending on how the host is configured and what services are available and left unprotected, this could expose sensitive data which could cost the company/organisation dearly, especially due to rules introduced by GDPR (General Data Protection Regulation).