Using SSRF/XSPA to perform internal port scans
A Server-Side Request Forgery (SSRF) is a vulnerability where a malicious user can send a manual request to the server where the application is hosted, usually a server that has no direct access from the user's perspective.
Currently, this is a vulnerability that is getting a lot of popularity because it has a great impact on cloud infrastructures that use technologies, such as Elasticsearch, and NoSQL databases.
In the following code snippet, we can see its effect:
<?php if (isset($_GET['url'])){ $url = $_GET['url']; $image = fopen($url, 'rb'); header("Content-Type: image/png"); fpassthru($image); }
This code is vulnerable because it is receiving the url
parameter without validations, and then it is directly assigned to another variable, which is internally used by the application. It allows you to modify the request that is sent to the application in an arbitrary way. For example, to modify the...