Server-Side Request Forgery (SSRF) is a vulnerability that allows an attacker to send unauthorized requests from a vulnerable server, often to internal or private network resources. When it occurs in APIs, SSRF can lead to a range of security issues, including exposure of sensitive internal data, unauthorized access to internal systems, and potential for further exploitation.

Common Scenarios of SSRF in APIs

1. Internal Network Scanning
   • Attackers use SSRF to enumerate internal services and open ports within the organization’s network.
2. Accessing Internal Metadata
   • SSRF can be exploited to access sensitive metadata services in cloud environments, such as AWS EC2 metadata service or Azure instance metadata service.
3. Exfiltrating Data
   • Attackers use SSRF to fetch data from internal services or databases that should not be exposed to external users.
4. Bypassing Firewall Rules
   • SSRF can be used to bypass firewall rules that block external traffic but allow internal traffic.
5. Performing Unauthorized Actions
   • Attackers may perform unauthorized actions on internal systems, such as changing configurations or interacting with internal APIs.

Attack Vectors

• URL Manipulation
  • Changing URL parameters to direct requests to internal systems or services.
• Parameter Injection
  • Injecting malicious payloads into request parameters to manipulate server behavior.
• Forced Browsing
  • Exploiting vulnerable endpoints to send requests to internal services or network resources.

Examples

1. Accessing Internal Services

   GET /api/resource?url=http://internal-service.local/admin
   

   If the API endpoint processes the url parameter without proper validation, it may allow access to internal services.

2. Accessing Cloud Metadata

   GET /api/fetchData?url=http://169.254.169.254/latest/meta-data/
   

   Exploiting an API to access cloud instance metadata services that are typically accessible only from within the cloud provider's network.

3. Exfiltrating Data

   POST /api/submit
   Content-Type: application/json
   
   {
     "url": "<http://internal-db.local/data>"
   }
   

   Using the API to retrieve sensitive data from internal databases.

SSRF Exploitation in API

1. Authentication

To begin with, we authenticate by sending a POST request to the /api/v1/authentication/suppliers/sign-in endpoint using valid credentials to obtain a JSON Web Token (JWT).

Request:

curl -X POST \\\\
  '<http://94.237.59.199:30544/api/v1/authentication/suppliers/sign-in>' \\\\
  -H 'accept: application/json' \\\\
  -H 'Content-Type: application/json' \\\\
  -d '{
  "Email": "[email protected]",
  "Password": "HTBPentester11"
}' | jq .