Server Side Request Forgery (SSRF)

Introduction

Server-Side Request Forgery (SSRF) is a vulnerability in which it is possible for an attacker to generate a request which will be initiated by the application. This can then be leveraged to make request to third party systems.

• Port scanning on the internal network, via the vulnerable target
• Access applications running on intranet or local network
• Use the vulnerable target as a proxy and talk to third party applications on the internet
• Use the file protocol to read local files from the underlying operating system

Details

Certain APIs or RPC services might provide the function of obtaining data from other API/application in form for a HTTP request parameter. In these cases, it might be possible to leverage the API to perform actions such as port scanning.

An XML-RPC service is available within port 9090 of the dvws-node application. Within the dvws-node application, a hint regarding usage of this XML-RPC service is shown within the code comments of http://dvws.local/error.html. This information can also be found by brute forcing the http://dvws.local:9090/xmlrpc server directly.

A dvws.CheckUptime XML RPC method is available which makes a request to the http://127.0.0.1/uptime endpoint to retrieve system uptime information.

POST /xmlrpc HTTP/1.1
Host: dvws.local:9090
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4164.0 Safari/537.36 autochrome/red
Connection: close
Content-Length: 174
Content-Type: application/x-www-form-urlencoded

<?xml version="1.0"?><methodCall><methodName>dvws.CheckUptime</methodName><params><param><value><string>http://127.0.0.1/uptime</string></value></param></params></methodCall>

The <param><value><string> element value can be changed to make requests to other entities.