[PDF]What is SSRF - Rackcdn.comhttps://de8964361f4bb909de8d-fe8b524ce0801bda0a4b2a48b0c06837.ssl.cf4.rackcd...
1 downloads
153 Views
1MB Size
Server Side Request Forgery
Exam Preparation
● ●
What do you guys feel like you want to work on What kind of exercises do you guys want for practice. ○
●
I will make some possibly.
Are there any other questions about the exam layout.
Overview ● ● ●
What is Server Side Request Forgery What is the impact How/where does it arise ○
● ● ● ●
Potential entry points
Cloud Hosting - Google Cloud Engine, AWS, Linode, DO Exploiting Local Services Other protocols/protocol smuggling (ftp://, gopher://, expect://) OOB techniques
What is SSRF ● ●
Abhi already told you guys. Where you tell the server to make a request on your behalf.
SSRF in piqturz - normal request
SSRF in piqturz - actual SSRF.
What is the impact? ● ●
Network Isolation Breach Breach of trust boundaries.
SSRF Network Boundary Breach
SSRF Network Boundary Breach
SSRF Network Boundary Breach
SSRF Network Boundary Breach
SSRF Network Boundary Breach
SSRF Network Boundary Breach
Where does it arise. ● ● ●
Where applications include files Where applications preview you content Where applications let you choose somewhere to upload files
Slack link preview
Facebook messenger link preview.
#DEMO
Cloud Hosting ● ● ● ●
AWS - 169.254.169.254 GCE - http://metadata.google.internal Digitalocean - http://169.254.169.254 Linode - Idk, might not be one
#DEMO
Exploiting local services ● ● ●
Services listening only on local ports. Not exposed to the internet Probably unauthenticated.
Common Local Services ● ● ● ● ●
Local Elastic Search Instances - :9200 :9300 Hashicorp Consul - :8500 Jenkins - :8080 Memcached - :11211 Other services - :443, 8080, 8443
Protocol Smuggling
Gopher in a nutshell.
#gophersuxlol ●
●
http://ssrfphp.lecture.ns.agency/?q=gopher%3A%2F%2F192.184.89.99:9998/a%2547%2545%2 554%2520%252f%2520%2548%2554%2554%2550%252f%2531%252e%2531%250a%2548% 256f%2573%2574%253a%2520%2576%252e%256d%2565%2577%2579%252e%2570%2577 %253a%2539%2539%2539%2539
#gophersuxlol ● ●
Sends your data as raw tcp. Lets you craft tcp packets by hand Lets you interact with other protocols (not just HTTP) ○ ○
●
E.g. FTP E.g. MySQL
https://blog.formsec.cn/2018/01/22/SSRF-To-RCE-in-MySQL/ crazy chinese people
Crazy chinese people https://blog.formsec.cn/2018/01/22/SSRF-To-RCE-in-MySQL/
OOB Techniques ● ●
OOB XXE Where you can exfil information by DNS requests. ○
Burp collaborator
2nd Order SSRF ● ●
Where its not immediately obvious Need to go somewhere else to trigger it/view it cached.
Sick Writeups ● ● ● ● ●
http://polynome.co/infosec/inversoft/elasticsearch/linode/penetration-testing/2016/08/16/hack -that-inversoft.html https://www.blackhat.com/docs/us-14/materials/us-14-Novikov-The-New-Page-Of-Injections-B ook-Memcached-Injections-WP.pdf http://blog.orange.tw/2017/07/how-i-chained-4-vulnerabilities-on.html http://blog.safebuff.com/2016/07/03/SSRF-Tips/ https://blog.formsec.cn/2018/01/22/SSRF-To-RCE-in-MySQL/