WAF Bypass SSRF: A Unique Way of Reading Internal Files.
~ Basavaraj Banakar, Oct, 9, 2024
Introduction
In the 2021 OWASP Top Ten, SSRF was introduced as a new category, this indicates its rising significance in the threat landscape. A 2019 Data Breach Investigations Report by Verizon highlighted that SSRF vulnerabilities contributed to several high-profile data breaches. Companies such as Capital One, Uber, and Alibaba have all experienced security incidents involving SSRF vulnerabilities. Capital One’s 2019 data breach involved an SSRF vulnerability in combination with misconfigured AWS metadata services, leading to the exposure of over 100 million customer records.
Goal of this Blog
This blog explains the practical approach from a hacker’s perspective to bypass WAF and exploit SSRF vulnerability.
Before that let’s brush up what SSRF is. In a Server-Side Request Forgery (SSRF) attack, an attacker abuses functionality on the server to access or manipulate internal resources. By supplying or modifying a URL, the attacker can force the server to read or submit data to internal services. With carefully crafted requests, an attacker may be able to read sensitive configuration files (e.g., AWS metadata), connect to internal services like HTTP-enabled databases, or perform unauthorized actions on internal servers that were never intended to be exposed to the public.
The target application below contains a download functionality that is vulnerable to SSRF. By exploiting this vulnerability, an attacker is able to fetch AWS metadata and be able to read internal files.
If you’re a business that handles sensitive data, you cannot afford to leave your security to chance. SecIQ’s cybersecurity experts specialize in identifying and fixing complex vulnerabilities like SSRF, ensuring your infrastructure is always one step ahead of attackers.
Steps to Reproduce:
Real-World SSRF Exploitation:
Here, we’ll demonstrate how an attacker could bypass WAF and exploit SSRF vulnerabilities in a target application’s download functionality to fetch sensitive AWS metadata and internal files.
- Step 1: Navigate to https://www.targeappt.com/episodes/ and click on download option.
- Step 2: And the intercepted request looks like this and here direct_download.php?mp3url= parameter is vulnerable for SSRF.
- Step 3: Let’s shorten AWS metadata URL to bypass WAF using bitly.com.
- Step 4: Now we will fetch AWS metadata by using shortened link.
- Step 5: Now we can see that in the response header it is disclosing internal hostname.
- Step 6: Let’s access this internal host using SSRF by using above method i.e URL shortening.
- Step 7: Accessed internal host, we confirmed that internal webserver is same as frontend code (Refer step5 screenshot for code)
- Step 8: Here the internal host and the frontend has the same code, Now let’s build file read URL to bypass akamai WAF Which looks like this http://ip-10-136-166-91.ap-south-1.compute.internal/wpcontent/themes/testpath/direct_download.php?mp3url=file:///etc/passwd Now shorten this crafted URL.
- Step 9: Now we will fetch that shortened link by using vulnerable SSRF endpoint to retrieve etc/passwd file content.
Finally the SSRF Vulnerability is successfully exploited 😊
Conclusion:
In this example, we’ve demonstrated how an SSRF vulnerability can be exploited to bypass a WAF and gain unauthorized access to internal files, potentially leading to devastating consequences for the affected business.
But here’s the critical question: Is your organization protected against these kinds of attacks? SecIQ offers comprehensive penetration testing, WAF bypass testing, and SSRF vulnerability assessments to ensure your infrastructure is impenetrable. Our highly skilled team of ethical hackers simulates real-world attacks, finding and fixing vulnerabilities before they can be exploited.
Why choose SecIQ?
- Proactive Security: We don’t just react to threats; we anticipate and prevent them with cutting-edge solutions.
- Expert Penetration Testing: Our seasoned team has extensive experience in identifying and resolving even the most hidden vulnerabilities.
- Tailored Services: Whether it’s a full security audit, targeted penetration testing, or WAF configuration reviews, SecIQ offers services designed to meet your specific needs.
- Stay Ahead: As threats evolve, so does our approach. We ensure your defenses are always up to date, providing long-term protection.
At SecIQ, we stay ahead of emerging threats by continuously refining our testing techniques and threat detection capabilities, ensuring our clients remain protected against evolving attacks such as SSRF. By choosing SecIQ, you’re partnering with a team dedicated to safeguarding your business from even the most advanced cyber threats.
Ready to protect your infrastructure? Contact SecIQ today to schedule a consultation and learn how we can help secure your business from SSRF and other critical vulnerabilities.
Stay Secure. Stay Ahead. Choose SecIQ.