What is Server-Side Request Forgery (SSRF) ?
SSRF is when you, as an attacker, successfully make the application triggering arbitrary requests.
Server-Side Request Forgery (SSRF) is basically correlated with other vulnerabilities a lot of times, for example:
XXE with SSRF:
<?xml version="1.0"?> <!DOCTYPE foo [ <!ELEMENT foo (#ANY)> <!ENTITY xxe SYSTEM "http://localhost">]><foo>&xxe;</foo>
Host Header Injection with SSRF:
GET / HTTP/1.1 Host: localhost
HTML Injection with SSRF:
<iframe src=http://localhost></iframe
ImageMagick SSRF in HLS Processing:
#EXTM3U #EXT-X-MEDIA-SEQUENCE: 0 #EXTINF:10.0, http://localhost #EXT-X-ENDLIST
Why is that dangerous?
Let’s assume you are hosting an application on port 80/443 externally, and the administrative panel is being hosted on port 8008 internally. Through SSRF, you can send arbitrary requests to the administrative panel hosted internally.
Different Types of Server-Side Request Forgery
There are mainly 3 different types of Server-Side Request Forgery (SSRF) that you must be aware of:
- Normal Server-Side Request Forgery (SSRF): You can see the response of the SSRF request in your browser/interceptor.
- Blind Server-Side Request Forgery (SSRF): You cannot see the response of the SSRF request directly as in a normal SSRF, but you will be able to execute actions blindly. In order to validate a blind SSRF, it would be recommended to set up a listener and firstly send the SSRF payload as your listener address, and check if it catches something.
- Time-based Server-Side Request Forgery (SSRF): The application will respond with an observable discrepancy within response time for requests going to existing or not existing internal resources.
Top 25 Server-Side Request Forgery (SSRF) Bug Bounty Reports
The reports were disclosed through the HackerOne platform and were selected according to their upvotes, bounty, severity level, complexity, and uniqueness.
#1
Title: SSRF in Exchange leads to ROOT access in all instances
Company: Shopify
Bounty: $25,000
#2
Title: Full Read SSRF on Gitlab’s Internal Grafana
Company: Gitlab
Bounty: $12,000
#3
Title: SSRF on project import via the remote_attachment_url on a Note
Company: GitLab
Bounty: $10,000
#4
Title: FogBugz import attachment full SSRF requiring vulnerability in *.fogbugz.com
Company: GitLab
Bounty: $6,000
#5
Title: GitLab::UrlBlocker validation bypass leading to full Server Side Request Forgery
Company: GitLab
Bounty: $5,000
#6
Title: Server Side Request Forgery (SSRF) at app.hellosign.com leads to AWS private keys disclosure
Company: Dropbox
Bounty: $4,913
#7
Title: Server-Side Request Forgery using Javascript allows to exfill data from Google Metadata
Company: Snapchat
Bounty: $4,000
#8
Title: Unauthenticated blind SSRF in OAuth Jira authorization controller
Company: GitLab
Bounty: $4,000
#9
Title: Blind SSRF on errors.hackerone.net due to Sentry misconfiguration
Company: HackerOne
Bounty: $3,500
#10
Title: Server Side Request Forgery mitigation bypass
Company: GitLab
Bounty: $3,500
#11
Title: SSRF in CI after first run
Company: GitLab
Bounty: $3,000
#12
Title: External SSRF and Local File Read via video upload due to vulnerable FFmpeg HLS processing
Company: TikTok
Bounty: $2,727
#13
Title: Unsafe charts embedding implementation leads to cross-account stored XSS and SSRF
Company: New Relic
Bounty: $2,500
#14
Title: SMB SSRF in emblem editor exposes taketwo domain credentials, may lead to RCE
Company: Rockstar Games
Bounty: $1,500
#15
Title: SSRF on https://qiwi.com using “Prerender HAR Capturer”
Company: QIWI
Bounty: $1,500
#16
Title: Blind SSRF in emblem editor (2)
Company: Rockstar Games
Bounty: $1,500
#17
Title: SSRF — Unchecked Snippet IDs for distributed files
Company: Open-Xchange
Bounty: $1,500
#18
Title: Unauthenticated SSRF in jira.tochka.com leading to RCE in confluence.bank24.int
Company: QIWI
Bounty: $1,000
#19
Title: SSRF chained to hit internal host leading to another SSRF which allows to read internal images.
Company: PlayStation
Bounty: $1,000
#20
Title: SSRF on image renderer
Company: PlayStation
Bounty: $1,000
#21
Title: SSRF in webhooks leads to AWS private keys disclosure
Company: Omise
Bounty: $700
#22
Title: SSRF In Get Video Contents
Company: Semrush
Bounty: $500
#23
Title: SSRF in api.slack.com, using slash commands and bypassing the protections.
Company: Slack
Bounty: $500
#24
Title: SVG Server Side Request Forgery (SSRF)
Company: Shopify
Bounty: $500
#25
Title: Blind SSRF on https://labs.data.gov/dashboard/Campaign/json_status/ Endpoint
Company: GSA Bounty
Bounty: $300
Bonus: 10 Zero Dollars SSRF Reports
#1
Title: My Expense Report resulted in a Server-Side Request Forgery (SSRF) on Lyft
Company: Lyft
Bounty: $0
#2
Title: SSRF on duckduckgo.com/iu/
Company: DuckDuckGo
Bounty: $0
#3
Title: XXE Injection through SVG image upload leads to SSRF
Company: Zivver
Bounty: $0
#4
Title: Sending Emails from DNSDumpster — Server-Side Request Forgery to Internal SMTP Access
Company: Hacker Target
Bounty: $0
#5
Title: SSRF in alerts.newrelic.com exposes entire internal network
Company: New Relic
Bounty: $0
#6
Title: Server-Side Request Forgery (SSRF) in Ghost CMS
Company: Node.js third-party modules
Bounty: $0
#7
Title: Blind SSRF in “Integrations” by abusing a bug in Ruby’s native resolver.
Company: HackerOne
Bounty: $0
#8
Title: SSRF vulnerability on ██████████ leaks internal IP and various sensitive information
Company: U.S. Dept Of Defense
Bounty: $0
#9
Title: Bypass for blind SSRF #281950 and #287496
Company: Infogram
Bounty: $0
#10
Title: SSRF
Company: Cloudflare Vulnerability Disclosure
Bounty: $0
Thanks very much and hope that you found this article helpful!
