Resources
    Lab Walkthrough - Server ...
    15 August 22

    Lab Walkthrough - Server Side Request Forgery

    Posted byLitesh Ghute
    facebooktwitterlinkedin
    news-featured

    What is Server-side Request Forgery?

    A web security vulnerability called server-side request forgery (SSRF) enables an attacker to trick the server-side application into sending requests to an unintended location.

    In a typical SSRF attack, the attacker may direct the server to connect to internal-only services located within the infrastructure of the company. Other times, they might be able to force the server to establish connections with arbitrary outside systems, possibly exposing private information like authorization credentials.

    In this article, we will learn how to use a vulnerable lambda function to launch an SSRF attack and read files from a running container.

    Challenge Statement

    In this lab, we will learn how a vulnerable lambda function can be leveraged to perform an SSRF attack and read files from the running container.

    Objective: Exploit the Server Side Request Forgery vulnerability and retrieve the Role’s access key, secret and session token.

    Solution

    Step 1: Start our lab to interact with the web application we built for you!

    1_urJVJpW2wg7H7Tu9yVOMmQ.png

    Step 2: Check location of the web server.

    Now, copy the URL given below. And then, paste it into the URL section of the web application and click the “Check” button.

    URL: https://iplocation.com

    1_1OiFAd1QqHzoc1PMjR1ZIQ.png

    You will be able to see the preview in the response. (Observe it)

    Step 3: With the help of the web application, we will try to read the system files.

    Enter the payload (given below) into the URL section of the web app and hit the “Check” button to see the output.

    Payload:

    file:///etc/passwd
    1_XgIQmUOPfxhIIzh-qAHdTA.png

    We can see that we were successfully able to read the system files.

    Step 4: Try reading the environment variables with the help of the web application by reading the /etc/environment file.

    Follow the same procedure as above. Write down the below-mentioned payload into the URL section of the web app and hit the “Check” button.

    Payload:

    file:///etc/environment
    1_O8suf3OFb8w9GcQIfa4ghA.png

    We can see that the file is empty. Let’s try something else.

    Step 5: Try to read the environment variables with the help of some different paths. Let’s use the /proc/self/environ file and try listing the environment variables.

    Payload:

    file:///proc/self/environ
    1_qZCxwWLcJP5w_WZZZyS7bg.png

    Bingo! We successfully retrieved the environment variables.

    Step 6: Copy the output from the previous step and paste it into the text editor of your choice and beautify it.

    1_Ntm9hU05jigwrHhpVOQWng.png

    Voila! We successfully perform the Server Side Request Forgery (SSRF) attack.

    Conclusion

    In this article, we saw how we can leverage the vulnerable lambda function to perform an SSRF attack and read files from the running container by retrieving the Role’s access key, secret and session token. I hope you enjoyed this article. Happy learning!

    © 2024 INE. All Rights Reserved. All logos, trademarks and registered trademarks are the property of their respective owners.
    Terms of servicePrivacy policy
    instagram Logofacebook Logotwitter Logolinkedin Logoyoutube Logo