PS: Before finishing in the top ten security risks no SSRF, only CSRF, so organize and write about knowledge, to enrich themselves, to prevent contingencies.
SSRF (Server-Side Request Forgery) , the server request forgery.
First, the definition
Attack exploits can access the Web server (A) a specific functional configuration malicious payload; attackers when accessing A, using a particular functional configuration special payload A of the A initiates an internal network system B (Intranet isolation external inaccessible ) a request to access to sensitive information. In this case A is utilized as an intermediary (springboard).
Second, the principle (reason)
SSRF vulnerabilities reasons, mainly because the server provides the ability to get data from other servers, but not on the destination address filtering and verification. In most of the web server architecture, web server itself can access the Internet and intranet server is located.
Third, the use of loopholes
In a nutshell is the vulnerability can do
1. The network probe
(1) can be within the network of external network server is located, the local port scan (host within the network to determine whether survival), banner obtain some information services.
(2). Fingerprinting intranet web applications, by accessing the default file.
2. The application attacks within the network
(1) Attack the intranet or run local applications (using the cross-protocol communications technology).
3. The web application attacks inside and outside the network. sql injection, struct2, redis the like (any port can be transmitted to any host internal packet {payload} carefully constructed).
4. File Read
Read local files using the file protocol.
5.DoS attack (large file requests, and always keep the connection keep-alive always).
Fourth, look for loopholes
1. Social sharing: get hyperlinks title and other content for display
2. transcoding services: the URL address of the Web page content tuned to fit the original address of the phone screen browsing
3. Translator: URL to translate the contents of the corresponding page of
4. Image upload / download: for example, the rich text editor click to download the picture to the local; upload or download pictures via a URL address
5. Picture / article collection function: it will take the main content of the title and the URL address in the text as the display in order to experience a good tool
6. cloud service vendors: it will execute remote commands to determine whether the site such as survival, so if you can capture that information, you can test ssrf
7. site acquisition, site crawled place: Some sites do some information gathering work for the url you entered
8. Built-in database functions: such as the copyDatabase database function mongodb
9. The mail system: such as receiving mail server address
10. The encoding process, the attribute information processing, file processing: for example ffpmg, ImageMagick, docx, pdf, xml processor, etc.
11. undisclosed api extension calls and other functions to achieve the URL: You can use google plus syntax for these keywords to find loopholes SSRF
Some of the keywords in the url: share, wap, url, link, src, source, target, u, 3g, display, sourceURl, imageURL, domain ......
12. A request from the remote server resources (upload from url as discuz;! Import & expost rss feed as web blog; xml engines used where objects such as wordpress xmlrpc.php)
Fifth, there is a filter bypass
1.http: //[email protected]/ When the request is the same as http://www.baidu.com/
2. The base for the conversion of various IP addresses
3.URL Jump bypass: http: //www.hackersb.cn/redirect.php url = http:? //192.168.0.1/
4. Short URL to bypass http://t.cn/RwbLKDx
5.xip.io to get around: http: //xxx.192.168.0.1.xip.io/ == 192.168.0.1 (xxx arbitrary)
Point to any ip domain name: xip.io (37signals development to achieve a custom DNS service)
6. limits subnet, you can add: 80-port bypass. http://tieba.baidu.com/f/commit/share/openShareApi?url=http://10.42.7.78:80
7. within the detection domain name, or your own domain name resolves to the internal network ip
8. Use bypass @: e.g. http://10.153.138.81/ts.php, to / host to determine when division acquires host prone repair,
But this can be http: //[email protected]/ bypass
Sixth, defense and repair
1. Never jump
2. Filter return information, the remote server authentication response to the request is relatively easy method. If the web application is to obtain a certain type of file. So before the show returns results to the user to verify whether the information returned by the standard.
3. Disable unnecessary protocols allow only http and https requests. Can prevent similar file: //, gopher: //, ftp: // and other problems caused by
4. whitelist validates priorities, filtration applications need a domain name and IP. White list when considering blacklisting can not meet demand, such as the prohibition request private IP address. Incomplete blacklist filtering problem likely to be present. (Using gethostbyname () determines whether the network IP)
The port restriction request for http common ports, such 80,443,8080,8090
6. unified error message, the user may be determined to avoid the port state according to the error message to the remote server.
Notes Content Reference finishing from:
1. https://blog.csdn.net/qq_37133717/article/details/94647789
2. https://xz.aliyun.com/t/2115
3. https://blog.csdn.net/lanyef/article/details/102656077
