2022-09-01 17:36:53 +02:00
|
|
|
=== What is the potential impact?
|
|
|
|
|
|
|
|
|
|
SSRF usually results in unauthorized actions or data disclosure in the
|
|
|
|
|
vulnerable application or on a different system it can reach. Conditional to
|
|
|
|
|
what is reachable, remote command execution can be achieved, although it often
|
|
|
|
|
requires chaining with further exploitations.
|
|
|
|
|
|
|
|
|
|
Information disclosure is SSRF's core outcome. Depending on the extracted data,
|
|
|
|
|
an attacker can perform a variety of different actions that can range from low
|
|
|
|
|
to critical severity.
|
|
|
|
|
|
2022-09-13 16:27:19 +02:00
|
|
|
Below are some real-world scenarios that illustrate some impacts of an attacker
|
|
|
|
|
exploiting the vulnerability.
|
2022-09-01 17:36:53 +02:00
|
|
|
|
|
|
|
|
==== Local file read to host takeover
|
|
|
|
|
|
|
|
|
|
An attacker manipulates an application into performing a local request for a
|
|
|
|
|
sensitive file, such as `~/.ssh/id_rsa`, by using the File URI scheme
|
|
|
|
|
`file://`. +
|
|
|
|
|
Once in possession of the SSH keys, the attacker establishes a remote
|
|
|
|
|
connection to the system hosting the web application.
|
|
|
|
|
|
|
|
|
|
==== Internal Network Reconnaissance
|
|
|
|
|
|
|
|
|
|
An attacker enumerates internal accessible ports from the affected server or
|
|
|
|
|
others to which the server can communicate by iterating over the port field in
|
2022-09-13 16:28:34 +02:00
|
|
|
the URL `\http://127.0.0.1:{port}`. +
|
2022-09-13 16:27:19 +02:00
|
|
|
Taking advantage of other supported URL schemas (dependent on the affected
|
|
|
|
|
system), for example, `gopher://127.0.0.1:3306`, an attacker would be able to
|
2022-09-13 16:28:34 +02:00
|
|
|
connect to a database service and perform queries on it.
|
