30 lines
1.3 KiB
Plaintext
30 lines
1.3 KiB
Plaintext
|
=== What is the potential impact?
|
||
|
|
|
||
|
|
SSRF usually results in unauthorized actions or data disclosure in the
|
||
|
|
vulnerable application or on a different system it can reach. Conditional to
|
||
|
|
what is reachable, remote command execution can be achieved, although it often
|
||
|
|
requires chaining with further exploitations.
|
||
|
|
|
||
|
|
Information disclosure is SSRF's core outcome. Depending on the extracted data,
|
||
|
|
an attacker can perform a variety of different actions that can range from low
|
||
|
|
to critical severity.
|
||
|
|
|
||
|
|
Below are some real-world scenarios that illustrate the various effects of an
|
||
|
|
attacker exploiting the vulnerability.
|
||
|
|
|
||
|
|
==== Local file read to host takeover
|
||
|
|
|
||
|
|
An attacker manipulates an application into performing a local request for a
|
||
|
|
sensitive file, such as `~/.ssh/id_rsa`, by using the File URI scheme
|
||
|
|
`file://`. +
|
||
|
|
Once in possession of the SSH keys, the attacker establishes a remote
|
||
|
|
connection to the system hosting the web application.
|
||
|
|
|
||
|
|
==== Internal Network Reconnaissance
|
||
|
|
|
||
|
|
An attacker enumerates internal accessible ports from the affected server or
|
||
|
|
others to which the server can communicate by iterating over the port field in
|
||
|
|
the URL `http://127.0.0.1:{port}`. +
|
||
|
|
Taking advantage of other supported URL schemas (dependent on the affected system), for example,
|
||
|
|
`gopher://127.0.0.1:3306`, an attacker would be able to connect to a database
|
||
|
|
service and perform queries on it.
|