AppSec Tales XVII | SSRF
5 min readAug 20, 2023
Application Security Testing for the Server Side Request Forgery.
INTRODUCTION
The article describes how to test the application to find Server Side Request Forgery vulnerabilities. The advice in this article is based on the following:
- OWASP Web Security Testing Guide
- OWASP Application Security Verification Standard
- Bug bounty reports
- Own experience.
TOOLING
Tools with basic usage & wordlist used for SSRF detection.
STANDALONE TOOLS
- SSRFmap— SSRF semi-automatic discovery and exploitation tool.
I am not using it due to problems with JSON parsing and the need to specify injection points manually. However, I decided to share it here in case it may be helpful to someone else and if the tool improves in the future.
- internal_ip_addr_disclosure.py — script for detecting internal IP leak.
- ffuf — web fuzzer written in GO.
- Nessus & Burp Suite Professional automatic scanners.