Top 25 Server-Side Request Forgery (SSRF) Bug Bounty Reports

(Photo by Taylor Vick on Unsplash)

In this article, we will discuss the Server-Side Request Forgery (SSRF) vulnerability, and present 25 disclosed reports based on this flaw.

What is Server-Side Request Forgery?

SSRF is when you, as an attacker, successfully make the application triggering arbitrary requests.

Server-Side Request Forgery (SSRF) is basically correlated with other vulnerabilities a lot of times, for example:

XXE with SSRF:

<?xml version="1.0"?>
<!DOCTYPE foo [  
<!ELEMENT foo (#ANY)>
<!ENTITY xxe SYSTEM "http://localhost">]><foo>&xxe;</foo>

Host Header Injection with SSRF:

GET / HTTP/1.1
Host: localhost

HTML Injection with SSRF:

<iframe src=http://localhost></iframe

ImageMagick SSRF in HLS Processing:

#EXTM3U
#EXT-X-MEDIA-SEQUENCE: 0
#EXTINF:10.0,
http://localhost
#EXT-X-ENDLIST

Why is that dangerous?

Let’s assume you are hosting an application on port 80/443 externally, and the administrative panel is being hosted on port 8008 internally. Through SSRF, you can send arbitrary requests to the administrative panel hosted internally