AppSec Tales XVII | SSRF

Application Security Testing for the Server Side Request Forgery.

INTRODUCTION

The article describes how to test the application to find Server Side Request Forgery vulnerabilities. The advice in this article is based on the following:

• OWASP Web Security Testing Guide
• OWASP Application Security Verification Standard
• Bug bounty reports
• Own experience.

TOOLING

Tools with basic usage & wordlist used for SSRF detection.

STANDALONE TOOLS

• SSRFmap— SSRF semi-automatic discovery and exploitation tool.

I am not using it due to problems with JSON parsing and the need to specify injection points manually. However, I decided to share it here in case it may be helpful to someone else and if the tool improves in the future.

• internal_ip_addr_disclosure.py — script for detecting internal IP leak.

Source: Own study — Script options.

• ffuf — web fuzzer written in GO.
• Nessus & Burp Suite Professional automatic scanners.