Full Report
The author of this Tweet has made over 500K in SSRF bugs. In this thread, they go through their best tricks. The first trick, is using other URL schemes like file:// and many others. This can lead to RCE or arbitrary file reads. If you can't hit internal parts, try using alternative encodings. For instance, octal, hex, binary and others. They recommend the tool IPFuscator for doing this. Different representations of localhost like 127.0.0.1, 0.0.0.0 can make it possible to bypass these. This is probably my favorite trick: if you can't hit the AWS instance 169.254.169.254 then use instance-data to resolve to this IP instead. That's pretty fire and clutch that this works on EC2 instances. On top of this, they mention knowing your technologies. Different techs have different internal endpoints to hit. If you can't supply a full URL, there are still many ways to get SSRF. The @, ?, # and ; all have a sticky history with URL parsing. The SSRF bible is a good resource for thinking outside the box on this. The URL has 9 parts: protocol, user, password, subdomain, domain, top level domain, port, path, query and fragment. Directory traversal can be very powerful with a relative path as well. This could allow hitting unintended endpoints on the application. Justin Gardner has even more tricks. Different layers of URL encoding can cause issues. Justin mentions using 3 layers of URL encoding in an exploit. Another common issue is using a literal . within a regex. Although this seems fine, the . within a regex is actually a single character wildcard. DNS rebinding attacks. If there is a TOCTOU bug then go to a public IP to begin with then a private one after the first check has been done. On the same type of thing, the When TLS Hacks You technique works good as well.
Analysis Summary
# Tool/Technique: Server-Side Request Forgery (SSRF) Exploitation
## Overview
SSRF is a vulnerability where an attacker influences a server-side application to make HTTP requests to an arbitrary domain of the attacker's choosing. This allows attackers to bypass firewalls, access internal services (like AWS metadata, databases, or internal APIs), and sometimes achieve Remote Code Execution (RCE).
## Technical Details
- **Type:** Technique / Vulnerability Exploitation
- **Platform:** Web Applications, Cloud Infrastructure (AWS, Azure, GCP), Internal Networks.
- **Capabilities:** Internal port scanning, arbitrary file reads, cloud metadata exfiltration, bypass of IP-based ACLs, and DNA rebinding.
- **First Seen:** Early 2000s; categorized in OWASP Top 10 2021.
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1190 - Exploit Public-Facing Application
- **TA0007 - Discovery**
- T1046 - Network Service Discovery
- T1082 - System Information Discovery (Cloud Metadata)
- **TA0009 - Collection**
- T1560 - Archive Collected Data
## Functionality
### Core Capabilities
- **Alternative URL Schemes:** Using schemes such as `file://` to read local files (e.g., `/etc/passwd`) or `gopher://` and `dict://` to interact with internal services.
- **IP Obfuscation:** Using alternative encodings like Octal, Hex, or Dword to bypass simple string-based filters.
- **Localhost Bypasses:** Using representations like `127.0.0.1`, `0.0.0.0`, `[::]`, or decimal equivalents.
- **Cloud Metadata Harvesting:** Targeted requests to `http://169.254.169.254` to steal IAM credentials or instance metadata.
### Advanced Features
- **DNS Rebinding:** Utilizing Time-of-Check to Time-of-Use (TOCTOU) flaws where a domain initially resolves to a safe public IP but subsequently resolves to a private internal IP.
- **URL Parser Confusion:** Exploit differences in how various libraries (cURL vs. Python requests) parse URL components (`@`, `?`, `#`, `;`) to sneak malicious payloads past validators.
- **Multi-layer Encoding:** Using double or triple URL encoding to bypass Web Application Firewalls (WAFs).
- **TLS Poisoning:** Using the "When TLS Hacks You" technique to deliver payloads via SNI or session identifiers.
## Indicators of Compromise
- **File Names:** N/A (Standard web logs)
- **Network Indicators:**
- Requests to `169.254.169.254` or `instance-data[.]ec2[.]internal`
- Inbound requests containing `file:`, `gopher:`, or `dict:` schemes in parameters.
- Outbound traffic from web servers to internal IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16).
- **Behavioral Indicators:**
- High volume of requests with varying IP encodings (IPFuscator artifacts).
- Rapid DNS resolution changes for a single domain (DNS Rebinding).
## Associated Threat Actors
- Widely used by Bug Bounty hunters (e.g., Justin Gardner).
- State-sponsored actors (APTs) for lateral movement.
- Ransomware groups for initial access and credential harvesting.
## Detection Methods
- **Signature-based:** Detect common SSRF patterns in logs (e.g., `?url=http://`, `@127.0.0.1`).
- **Behavioral:** Monitor for web servers initiating connections to internal IPs or cloud metadata services.
- **Regex Audit:** Identifying weak regexes where a `.` (dot) matches any character instead of a literal period.
## Mitigation Strategies
- **Allowlisting:** Implement strict allowlists for protocols (HTTPS only) and destination domains/IPs.
- **Input Validation:** Enforce strict URL parsing and reject any input containing alternative encodings or unexpected schemes.
- **Network Isolation:** Disable access to the cloud metadata service (IMDSv1) or enforce IMDSv2 (requires a session token).
- **Disable Unused Schemes:** Ensure the underlying libraries (like cURL) have non-essential schemes (file, gopher, ldap) disabled.
## Related Tools/Techniques
- **Tool: IPFuscator** (Automated IP address obfuscation).
- **Reference: The SSRF Bible** (Comprehensive guide on exploitation).
- **Technique: DNS Rebinding** (Exploiting browser/server trust transitions).