In the previous post we gave an introduction to Server-Side Request Forgery (SSRF) which included some examples. In this post there will be a demo to show how it works.

 

Firstly, we have the following code. This code, written in PHP acts as the external URL in which the general public would have access to, and it simply checks for the ‘url’ parameter and uses the file_get_contents function to show the requested file.

We then run two servers’ side-by-side.

 

Please note that localhost is used here for an example, however in a proper web application this URL would be an external one:

Local host screenshot of code

 

When entering a file that is likely to exist, this will be shown within the browser. The following screenshot shows the file http://localhost:8000/index.php?url=/etc/passwd being included, which technically is known as a Local File Include (LFI) which was mentioned in the previous post:

etc Password Local File Screenshot

 

 

From here if we take the above URL and change it to http://localhost:8000/index.php?url=http://localhost:8001 our external URL on port 8000 is then making a request to the internal URL running on port 8001 in which generally shouldn’t be accessible:

Port 8001 Screenshot

 

As you might see, this is also like a Remote File Include (RFI). However, the difference here is that instead of including a file that is local or remote, SSRF is the way of accessing internal services which wouldn’t otherwise be available. 

 

Of course, this simple example doesn’t really show the extent of the damage SSRF’s can do. However, depending on how the host is configured and what services are available and left unprotected, this could expose sensitive data which could cost the company/organisation dearly, especially due to rules introduced by GDPR (General Data Protection Regulation). 

Join us in a partnership founded in research, education and execution

Our success is built on protecting our clients’ success. We have a distinguished track record of supporting our clients in building secure by design environments. Our consultants have successfully ushered in new security practices in leading pharmaceutical, energy and retail institutions. Bramfitt has over 50 specialists around the world and we are committed to forging long-term relationships with our clients, providing them with genuine insight and practical advice, and supporting them as they navigate the everchanging security landscape.

Let us be your partner for the next phase of your security journey.

EMEA Headquarters
Tower 42, 25 Old Broad Street London, EC2N 1HN
+44 (0) 208 187 4234
AMER Headquarters
45 Rockefeller Plaza, 20th Floor New York, NY 10111
+1 (800) 468-6046
APAC Headquarters
96 Wanneroo Rd, Yokine WA 6060, Australia
Social
crown commercial service supplier
cyber essentials
iasme consortium
pentest
ukas iso 9001ukas iso 27001
Back to top
Get in touch