SSRF attacks faill into 3 categories:

Blind

You can launch the request but can't see the result. To confirm the existence of a blind SSRF, initiate a server-side request to a resource you own so you can see the request come in. If you want to confirm the SSRF can reach internal targets, measure timing. This doesn't prove anything, but if the attack is consistently slower against certain IP addresses / ports, then there's probably something alive on that address / port.

Furthermore, you can try certain GET or POST parameters to see how those change the speed, to gain more clues.

Blind SSRF used this way can allow you to map the internal network used by the target.

Semi-blind

You get something, but not everything. For an example of this, see Bypassing Firewalls with Server Side Request Forgery.

Non-blind

You can see the full result. This is the ideal condition, allowing you to not only map the network, but interact easily with internal resources, or use the host as a proxy.

1 comments, sorted by Click to highlight new comments since: Today at 4:21 AM
New Comment

Dear mods, just a personal blog post, please do let me know if anything is wrong with me this here <3