blog
Lab Walkthrough - Server ...
15 August 22

Lab Walkthrough - Server Side Request Forgery

Posted byLitesh Ghute
facebooktwitterlinkedin
news-featured

What is Server-side Request Forgery?

A web security vulnerability called server-side request forgery (SSRF) enables an attacker to trick the server-side application into sending requests to an unintended location.

In a typical SSRF attack, the attacker may direct the server to connect to internal-only services located within the infrastructure of the company. Other times, they might be able to force the server to establish connections with arbitrary outside systems, possibly exposing private information like authorization credentials.

In this article, we will learn how to use a vulnerable lambda function to launch an SSRF attack and read files from a running container.

Challenge Statement

In this lab, we will learn how a vulnerable lambda function can be leveraged to perform an SSRF attack and read files from the running container.

Objective: Exploit the Server Side Request Forgery vulnerability and retrieve the Role’s access key, secret and session token.

Solution

Step 1: Start our lab to interact with the web application we built for you!

1_urJVJpW2wg7H7Tu9yVOMmQ.png

Step 2: Check location of the web server.

Now, copy the URL given below. And then, paste it into the URL section of the web application and click the “Check” button.

URL: https://iplocation.com

1_1OiFAd1QqHzoc1PMjR1ZIQ.png

You will be able to see the preview in the response. (Observe it)

Step 3: With the help of the web application, we will try to read the system files.

Enter the payload (given below) into the URL section of the web app and hit the “Check” button to see the output.

Payload:

file:///etc/passwd
1_XgIQmUOPfxhIIzh-qAHdTA.png

We can see that we were successfully able to read the system files.

Step 4: Try reading the environment variables with the help of the web application by reading the /etc/environment file.

Follow the same procedure as above. Write down the below-mentioned payload into the URL section of the web app and hit the “Check” button.

Payload:

file:///etc/environment
1_O8suf3OFb8w9GcQIfa4ghA.png

We can see that the file is empty. Let’s try something else.

Step 5: Try to read the environment variables with the help of some different paths. Let’s use the /proc/self/environ file and try listing the environment variables.

Payload:

file:///proc/self/environ
1_qZCxwWLcJP5w_WZZZyS7bg.png

Bingo! We successfully retrieved the environment variables.

Step 6: Copy the output from the previous step and paste it into the text editor of your choice and beautify it.

1_Ntm9hU05jigwrHhpVOQWng.png

Voila! We successfully perform the Server Side Request Forgery (SSRF) attack.

Conclusion

In this article, we saw how we can leverage the vulnerable lambda function to perform an SSRF attack and read files from the running container by retrieving the Role’s access key, secret and session token. I hope you enjoyed this article. Happy learning!

Need training for your entire team?

Schedule a Demo

Hey! Don’t miss anything - subscribe to our newsletter!

© 2022 INE. All Rights Reserved. All logos, trademarks and registered trademarks are the property of their respective owners.
Terms of servicePrivacy policy
instagram Logofacebook Logotwitter Logolinkedin Logoyoutube Logo