Online Courses
API Penetration Testing Course
Online Courses
API Penetration Testing Course
  • Introduction
  • Setting Up
    • Tools
    • Hacking Lab
  • API Reconnaissance
    • Introduction to API Reconnaissance
    • Passive Reconnaissance
      • Google Dorking
      • GitDorking
      • TruffleHog
      • API Directories
      • Shodan
      • The Wayback Machine
    • Active Reconnaissance
      • Nmap
      • OWASP Amass
      • Directory Brute-force with Gobuster
      • Kiterunner
      • DevTools
      • Directory Brute-Forcing
  • Endpoint Analysis
    • Reverse Engineering an API
    • Excessive Data Exposure
    • Assessment
  • Scanning APIs
    • Finding Security Misconfigurations
    • Scanning APIs with OWASP ZAP
    • Assessment
  • Authentication Attacks
    • Classic Authentication Attacks
      • Note on Base64 Encoding
    • Token Attacks
    • Assessment
  • Exploiting API Authorization
    • Exploiting API Authorization
    • Broken Object Level Authorization (BOLA)
    • Broken Function Level Authorization (BFLA)
    • Assessment
  • Improper Assets Management
    • Improper Assets Management
    • Finding Improper Assets Management Vulnerabilities
    • Assessment
  • Mass Assignment
    • Mass Assignment Attacks
    • Other Mass Assignment Vectors
    • Hunting for Mass Assignment
    • Assessment
  • Exploiting Server-Side Request Forgery
    • Server-Side Request Forgery
    • Types of SSRF
    • Ingredients for SSRF
    • Testing for SSRF
    • Assessment
  • Injection Vulnerabilities
    • Testing for Injection Vulnerabilities
    • Discovering Injection Vulnerabilities
      • SQL Injection Metacharacters
      • NoSQL Injection
      • OS Injection
    • Fuzzing Wide with Postman
    • Fuzzing Deep with WFuzz
    • Assessment
  • Evasion and Combining Techniques
    • Evasive Maneuvers
    • Combining Techniques
Powered by GitBook
On this page
  1. Exploiting Server-Side Request Forgery

Ingredients for SSRF

When targeting an API for SSRF vulnerabilities, you will want to look for requests that have any of the following:

  • Include full URLs in the POST body or parameters.

  • Include URL paths (or partial URLs) in the POST body or parameters.

  • Headers that include URLs like Referer.

  • Allows for user input that may result in a server retrieving resources.

Let's search the crAPI collection for potential targets. When reviewing the collection we can see three potential requests that involve URLs.

  • POST /community/api/v2/community/posts

  • POST /workshop/api/shop/orders/return_order?order_id=4000

  • POST workshop/api/merchant/contact_mechanic

These three requests each allow for user input that might be processed and some include Referer headers. The community forum post allows for any authorized user to submit a title and post to the community board. It might be a stretch, but perhaps there is some content filter involved that would submit a request to any provided URL. The return_order and contact_mechanic requests both involve URLs in some way. The return_order request doesn't seem like an obvious choice, however, the response includes a URL. Testing this request will include trying to manipulate the URL that is sent in the response. Finally, the contact_mechanic request seems like the most obvious request, because the captured request contains a URL for the "Mechanic API".

PreviousTypes of SSRFNextTesting for SSRF

Last updated 1 year ago