Let’s assume you are hosting an application on port 80/443 externally, and the administrative panel is being hosted on port 8008 internally. Through SSRF, you can send arbitrary requests to the administrative panel hosted internally.
Different Types of Server-Side Request Forgery
There are mainly 3 different types of Server-Side Request Forgery (SSRF) that you must be aware of:
Normal Server-Side Request Forgery (SSRF): You can see the response of the SSRF request in your browser/interceptor.
Blind Server-Side Request Forgery (SSRF): You cannot see the response of the SSRF request directly as in a normal SSRF, but you will be able to execute actions blindly. In order to validate a blind SSRF, it would be recommended to set up a listener and firstly send the SSRF payload as your listener address, and check if it catches something.
Time-based Server-Side Request Forgery (SSRF): The application will respond with an observable discrepancy within response time for requests going to existing or not existing internal resources.
Top 25 Server-Side Request Forgery (SSRF) Bug Bounty Reports
The reports were disclosed through the HackerOne platform and were selected according to their upvotes, bounty, severity level, complexity, and uniqueness.
Title: SSRF in Exchange leads to ROOT access in all instances