SSRF

is a vulnerability where an attacker tricks a web server into making unauthorized requests, often by manipulating user-supplied URLs. This can allow access to internal systems, bypass firewalls, and expose sensitive data.

The following URL schemes are commonly used in the exploitation of SSRF vulnerabilities

• http:// and https://: These URL schemes fetch content via HTTP/S requests. An attacker might use this in the exploitation of SSRF vulnerabilities to bypass WAFs, access restricted endpoints, or access endpoints in the internal network

• file://: This URL scheme reads a file from the local file system. An attacker might use this in the exploitation of SSRF vulnerabilities to read local files on the web server (LFI)

• gopher://: This protocol can send arbitrary bytes to the specified address. An attacker might use this in the exploitation of SSRF vulnerabilities to send HTTP POST requests with arbitrary payloads or communicate with other services such as SMTP servers or databases

Exploiting SSRF vulnerabilities can lead to:

• Interacting with known internal systems

• Discovering internal services via port scans

• Disclosing local/sensitive data

• Including files in the target application

• Leaking NetNTLM hashes using UNC Paths (Windows)

• Achieving remote code execution