Online Courses
API Penetration Testing Course
Online Courses
API Penetration Testing Course
  • Introduction
  • Setting Up
    • Tools
    • Hacking Lab
  • API Reconnaissance
    • Introduction to API Reconnaissance
    • Passive Reconnaissance
      • Google Dorking
      • GitDorking
      • TruffleHog
      • API Directories
      • Shodan
      • The Wayback Machine
    • Active Reconnaissance
      • Nmap
      • OWASP Amass
      • Directory Brute-force with Gobuster
      • Kiterunner
      • DevTools
      • Directory Brute-Forcing
  • Endpoint Analysis
    • Reverse Engineering an API
    • Excessive Data Exposure
    • Assessment
  • Scanning APIs
    • Finding Security Misconfigurations
    • Scanning APIs with OWASP ZAP
    • Assessment
  • Authentication Attacks
    • Classic Authentication Attacks
      • Note on Base64 Encoding
    • Token Attacks
    • Assessment
  • Exploiting API Authorization
    • Exploiting API Authorization
    • Broken Object Level Authorization (BOLA)
    • Broken Function Level Authorization (BFLA)
    • Assessment
  • Improper Assets Management
    • Improper Assets Management
    • Finding Improper Assets Management Vulnerabilities
    • Assessment
  • Mass Assignment
    • Mass Assignment Attacks
    • Other Mass Assignment Vectors
    • Hunting for Mass Assignment
    • Assessment
  • Exploiting Server-Side Request Forgery
    • Server-Side Request Forgery
    • Types of SSRF
    • Ingredients for SSRF
    • Testing for SSRF
    • Assessment
  • Injection Vulnerabilities
    • Testing for Injection Vulnerabilities
    • Discovering Injection Vulnerabilities
      • SQL Injection Metacharacters
      • NoSQL Injection
      • OS Injection
    • Fuzzing Wide with Postman
    • Fuzzing Deep with WFuzz
    • Assessment
  • Evasion and Combining Techniques
    • Evasive Maneuvers
    • Combining Techniques
Powered by GitBook
On this page
  • SSRF Impact
  • Payouts
  1. Exploiting Server-Side Request Forgery

Server-Side Request Forgery

PreviousAssessmentNextTypes of SSRF

Last updated 1 year ago

Server-Side Request Forgery (SSRF) is a vulnerability that takes place when an application retrieves remote resources without validating user input. An attacker can supply their own input, in the form of a URL, to control the remote resources that are retrieved by the targeted server. When you have control over what resources a server requests then you can gain access to sensitive data or worse completely compromise a vulnerable host. SSRF is number 10 on the 2021 OWASP Top 10 list and is a growing threat to APIs.

SSRF Impact

The impact of this vulnerability is that an attacker would be able to leverage the target server to perform and process requests that they supply. The attacker could supply URLs that expose private data, scan the target's internal network, or compromise the target through remote code execution. Note that bug bounties payouts for SSRF are driven based on the impact that can be demonstrated with a proof of concept. In other words, make sure to experiment with your SSRF findings and see what can be compromised with them.

To drive the point home check out the bug bounty rewards for SSRF guidelines on Facebook ():

Payouts

  • $40,000 - SSRF in production and reading the response (must include canary in your report).

  • $30,000 - Blind SSRF in production and not reading the response (must trigger the canary alert).

  • $10,000 - Hitting arbitrary endpoints within a corporate network (e.g. through an unpatched CVE on a third-party system).

  • $1,000 - If you can only hit a small number of endpoints within the corporate network (e.g. a small set of hosts or loopback only).

As you can see, the more that you can do with an SSRF finding, the greater the impact and the higher the reward.

https://m.facebook.com/whitehat/payout_guidelines/ssrf/