- The Guide to Finding and Reporting Web Vulnerabilities
- About the Author
- About the Tech Reviewer
- Foreword
- Introduction
- Who This Book Is For
- What Is In This Book
- Happy Hacking!
- 1 Picking a Bug Bounty Program
- 2 Sustaining Your Success
- 3 How the Internet Works
- 4 Environmental Setup and Traffic Interception
- 5 Web Hacking Reconnaissance
- 6 Cross-Site Scripting
- 7 Open Redirects
- 8 Clickjacking
- 9 Cross-Site Request Forgery
- 10 Insecure Direct Object References
- 11 SQL Injection
- 12 Race Conditions
- 13 Server-Side Request Forgery
- 14 Insecure Deserialization
- 15 XML External Entity
- 16 Template Injection
- 17 Application Logic Errors and Broken Access Control
- 18 Remote Code Execution
- 19 Same-Origin Policy Vulnerabilities
- 20 Single-Sign-On Security Issues
- 21 Information Disclosure
- 22 Conducting Code Reviews
- 23 Hacking Android Apps
- 24 API Hacking
- 25 Automatic Vulnerability Discovery Using Fuzzers
Mechanisms
SSRF vulnerabilities occur when an attacker finds a way to send requests as a trusted server in the target’s network. Imagine a public-facing web server on example.com ’s network named public.example.com . This server hosts a proxy service, located at public.example.com/proxy , that fetches the web page specified in the url parameter and displays it back to the user. For example, when the user accesses the following URL, the web application would display the google.com home page:
SSRF 漏洞是当攻击者找到一种方式以目标网络中的可信服务器发送请求时发生的。想象一下,example.com 网络上有一个公共面向 Web 的服务器,名为 public.example.com。该服务器提供一个代理服务,位于 public.example.com/proxy 处,可以获取 url 参数中指定的 Web 页面并将其显示给用户。例如,当用户访问以下 URL 时,Web 应用程序将显示 google.com 主页:
https://public.example.com/proxy?url=https://google.comNow let’s say admin.example.com is an internal server on the network hosting an admin panel. To ensure that only employees can access the panel, administrators set up access controls to keep it from being reached via the internet. Only machines with a valid internal IP, like an employee workstation, can access the panel.
现在假设 admin.example.com 是网络上托管管理面板的内部服务器。为确保只有员工可以访问该面板,管理员设置了访问控制,以防止从互联网访问该面板。只有具有有效内部 IP 地址(如员工工作站)的计算机才能访问该面板。
Now, what if a regular user accesses the following URL?
现在,如果普通用户访问以下网址会怎样?
https://public.example.com/proxy?url=https://admin.example.comHere, the url parameter is set to the URL of the internal admin panel. With no SSRF protection mechanism in place, the web application would display the admin panel to the user, because the request to the admin panel is coming from the web server, public.example.com , a trusted machine on the network.
在这里,URL 参数设置为内部管理面板的 URL。如果没有 SSRF 保护机制,Web 应用程序将向用户显示管理面板,因为对管理面板的请求来自于网络中被信任的机器 public.example.com 的 Web 服务器。
Through SSRF, servers accept unauthorized requests that firewall controls would normally block, like fetching the admin panel from a non-company machine. Often, the protection that exists on the network perimeter, between public-facing web servers and internet machines, does not exist between machines on the trusted network. Therefore, the protection that hides the admin panel from the internet doesn’t apply to requests sent between the web server and the admin panel server.
通过 SSRF,服务器接受未经授权的请求,这些请求通常会被防火墙控制所拦截,例如从非公司机器获取管理员面板。通常,位于公共面向的 Web 服务器和互联网机器之间的网络边缘上存在的保护并不存在于信任网络中的机器之间。因此,将管理员面板从互联网上隐藏的保护措施不适用于 Web 服务器之间和管理员面板服务器之间发送的请求。
By forging requests from trusted servers, an attacker can pivot into an organization’s internal network and conduct all kinds of malicious activities. Depending on the permissions given to the vulnerable internet-facing server, an attacker might be able to read sensitive files, make internal API calls, and access internal services.
通过伪造来自受信任服务器的请求,攻击者可以在组织的内部网络中转并进行各种恶意活动。根据易受攻击的面向互联网的服务器获得的权限,攻击者可能能够读取敏感文件、进行内部 API 调用以及访问内部服务。
SSRF vulnerabilities have two types: regular SSRF and blind SSRF. The mechanisms behind both are the same: each exploits the trust between machines on the same network. The only difference is that in a blind SSRF, the attacker does not receive feedback from the server via an HTTP response or an error message. For instance, in the earlier example, we’d know the SSRF worked if we see admin.example.com displayed. But in a blind SSRF, the forged request executes without any confirmation sent to the attacker.
SSRF 漏洞有两种类型:正常的 SSRF 和盲目 SSRF。两者背后的机制相同:都是利用同一网络上机器之间的信任。唯一的区别在于盲目 SSRF,攻击者无法通过 HTTP 响应或错误消息从服务器获得反馈。例如,在之前的例子中,如果我们看到了 admin.example.com 的显示,那么我们就知道 SSRF 已经生效了。但是,在盲目的 SSRF 中,伪造的请求会执行,而没有任何确认发送给攻击者。
Let’s say that on public.example.com another functionality allows users to send requests via its web server. But this endpoint does not return the resulting page to the user. If attackers can send requests to the internal network, the endpoint suffers from a blind SSRF vulnerability:
假设在 public.example.com 上,另一个功能允许用户通过其 Web 服务器发送请求。但是,该端点不会将结果页面返回给用户。如果攻击者能够向内部网络发送请求,则该端点会遭受盲 SSRF 漏洞的影响。
https://public.example.com/send_request?url=https://admin.example.com/delete_user?user=1Although blind SSRFs are harder to exploit, they’re still extremely valuable to an attacker, who might be able to perform network scanning and exploit other vulnerabilities on the network. We’ll get more into this later.
虽然无法看到的 SSRFs 更难被利用,但对攻击者来说仍然极其有价值,因为攻击者可能能够在网络上执行网络扫描并利用其他漏洞。我们稍后会深入探讨这个问题。
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论