Lab Walkthrough - Server Side Request Forgery
What is Server-side Request Forgery?
A web security vulnerability called server-side request forgery (SSRF) enables an attacker to trick the server-side application into sending requests to an unintended location.
In a typical SSRF attack, the attacker may direct the server to connect to internal-only services located within the infrastructure of the company. Other times, they might be able to force the server to establish connections with arbitrary outside systems, possibly exposing private information like authorization credentials.
In this article, we will learn how to use a vulnerable lambda function to launch an SSRF attack and read files from a running container.
In this lab, we will learn how a vulnerable lambda function can be leveraged to perform an SSRF attack and read files from the running container.
Objective: Exploit the Server Side Request Forgery vulnerability and retrieve the Role’s access key, secret and session token.
Step 1: Start our lab to interact with the web application we built for you!
Step 2: Check location of the web server.
Now, copy the URL given below. And then, paste it into the URL section of the web application and click the “Check” button.
You will be able to see the preview in the response. (Observe it)
Step 3: With the help of the web application, we will try to read the system files.
Enter the payload (given below) into the URL section of the web app and hit the “Check” button to see the output.
We can see that we were successfully able to read the system files.
Step 4: Try reading the environment variables with the help of the web application by reading the /etc/environment file.
Follow the same procedure as above. Write down the below-mentioned payload into the URL section of the web app and hit the “Check” button.
We can see that the file is empty. Let’s try something else.
Step 5: Try to read the environment variables with the help of some different paths. Let’s use the /proc/self/environ file and try listing the environment variables.
Bingo! We successfully retrieved the environment variables.
Step 6: Copy the output from the previous step and paste it into the text editor of your choice and beautify it.
Voila! We successfully perform the Server Side Request Forgery (SSRF) attack.
In this article, we saw how we can leverage the vulnerable lambda function to perform an SSRF attack and read files from the running container by retrieving the Role’s access key, secret and session token. I hope you enjoyed this article. Happy learning!