Server-Side Request Forgery

In this assignment, you will:

  1. Find a SSRF vulnerability in an object storage API
  2. Exploit the vulnerability to obtain access to a secret value

SSRF

Server-side request forgery (SSRF) is a vulnerability class that is growing in prevalence, especially in the context of cloud environments. SSRF arises when a server-side application can be forced to issue an unintended, security-sensitive network request due to malicious input. Since the server-side request can be issued to an otherwise inaccessible endpoint, or perhaps carries protected authentication credentials, the attacker gains elevated privileges in exploiting the vulnerability. In this way, it is yet another example of the classic confused deputy problem.

You have obtained access to a copy of the vulnerable object storage API server. It is available in Canvas as source code in ssrf.tgz. You will not be able to (meaningfully) run this on your own; it is for informational purposes only.

Your goal for this assignment is to locate an SSRF vulnerability in this API, and exploit it to obtain access to a secret value.

Locating the Vulnerability

The source code you have obtained implements an “improved” object storage layer over a standard S3 API provided by Digital Ocean. Study the source code, and try to answer the following questions.

  • What is the attack surface?
  • How can an attacker provide malicious input to the API?
  • What information would be valuable to control?
  • What information does the attacker not have access to that might constitute a privilege escalation opportunity?

Exploitation

Once you have located the vulnerability, you might need to evade some simple filtering rules. First, try to understand what is being filtered. Why is that data filtered? If needed, how might you achieve the attacker’s aims despite the presence of the filter?

Once you have developed a plan of attack, you can attempt to exploit a running instance of the API at http://storage.nëu.lol:22851/.

Submission Instructions

  1. Upload a tgz archive to Canvas containing the following files:
    • A README.md describing what your attack does
    • The source code for your attack
  2. Extra credit. TBD.

© 2022 wkr