Exercise 25: Server-Side Request Forgery (SSRF)

Objective

Learn how to exploit Server-Side Request Forgery (SSRF) vulnerabilities to make unauthorized requests from the server to internal resources and understand effective mitigation techniques.

Scenario

You are testing a web application that fetches external URLs provided by users to display website previews. Due to a lack of URL validation, the application is vulnerable to SSRF, allowing attackers to access internal systems, internal APIs, and cloud metadata endpoints.

Lab Setup

Prerequisites:

• Basic knowledge of PHP and HTTP requests.
• XAMPP/LAMP/WAMP stack installed (or any web server with PHP support).
• A code editor (e.g., VSCode, Sublime Text).

Step 1: Create the Vulnerable Web Application

PHP Script to Fetch URLs

Create a file fetch.php:

<?php
if (isset($_GET['url'])) {
    $url = $_GET['url'];
    $response = file_get_contents($url);
    echo "<h2>Fetched Content:</h2>";
    echo "<pre>" . htmlspecialchars($response) . "</pre>";
}
?>

<h2>Fetch Website Content</h2>
<form method="GET" action="">
    URL: <input type="text" name="url" required><br>
    <button type="submit">Fetch</button>
</form>

Running the Application

• Start the Apache server.
• Place fetch.php in the web server’s root directory (htdocs for XAMPP).
• Open http://localhost/fetch.php in your browser.

Exploitation Steps

Step 1: Accessing Internal Resources

Enter the following URL into the form:

http://localhost/phpmyadmin

Enter another internal URL:

http://127.0.0.1:8080/admin

Expected Result:

• The server fetches and displays content from internal resources.

Step 2: Exploiting Cloud Metadata Service (For Cloud Deployments)

Enter the cloud metadata URL:

http://169.254.169.254/latest/meta-data/

Expected Result:

• The server reveals sensitive metadata information about the cloud instance (e.g., AWS EC2 instance details).

Solution and Prevention

Problem Analysis

• The server fetches URLs provided by users without validation, exposing internal services.

Fixing the Vulnerability

Validate and Sanitize URLs

Restrict access to internal IP ranges:

function is_valid_url($url) {
    $parsed_url = parse_url($url);
    $host = gethostbyname($parsed_url['host']);
    $private_ips = [
        '127.0.0.1', 'localhost', '0.0.0.0',
        '10.', '172.16.', '192.168.', '169.254.'
    ];

    foreach ($private_ips as $ip) {
        if (strpos($host, $ip) === 0) {
            return false;
        }
    }
    return filter_var($url, FILTER_VALIDATE_URL);
}

if (isset($_GET['url']) && is_valid_url($_GET['url'])) {
    $response = file_get_contents($_GET['url']);
    echo "<h2>Fetched Content:</h2>";
    echo "<pre>" . htmlspecialchars($response) . "</pre>";
} else {
    echo "<h2>Invalid or restricted URL.</h2>";
}

Use URL Schemes Restrictions

Block dangerous URL schemes:

$scheme = parse_url($url, PHP_URL_SCHEME);
if (!in_array($scheme, ['http', 'https'])) {
    die("Invalid URL scheme.");
}

Network Firewall Restrictions

Configure firewall rules to block server access to internal resources.

Use SSRF Protection Libraries

Utilize built-in libraries or tools to detect and block SSRF attempts.

Testing After Fix

Attempt to access internal resources with URLs like:

http://localhost/phpmyadmin
http://169.254.169.254/latest/meta-data/

Expected Result:

The server rejects the request with a message like “Invalid or restricted URL.”

Conclusion

In this lab, you exploited a Server-Side Request Forgery (SSRF) vulnerability to access internal services and cloud metadata. You also learned how to mitigate this risk by validating URLs, implementing network restrictions, and blocking internal IP ranges.