Let us create an HTML file containing a link to a service under our control to test if the application is vulnerable to a blind SSRF vulnerability. This service can be a web server hosted in a machine we own, Burp Collaborator, a Pingb.in URL etc. Please note that the protocols we can use when utilizing out-of-band techniques include HTTP, DNS, FTP, etc.
Semi-blind SSRF, similarly to blind SSRF, does not return all details about a resulting request, however, some data is exposed. This could be partial data or error messages that give the attacker more information. Sometimes metadata about a request, such as response times, can also be considered semi-blind as they allow an attacker to validate if a request succeeds. Semi-blind SSRF is often enough to validate the vulnerability, but not always enough to extract sensitive data.
Blind SSRF exploitation
A variety of techniques can be used to exploit SSRF vulnerabilities. These range from simply providing parameters in the correct spots to exploiting the way that a server processes certain data. It is not always obvious that an SSRF vulnerability is present, and sometimes exploitation requires taking advantage of existing workflows in ways the developer did not intend.
SSRF is very broad vulnerability class with a variety of potential exploitation scenarios and the potential for high impact. However, the impact is very context specific, depending on the behavior of the application and the environment the application server is in. Mitigation can be difficult, but the best solutions depend on a variety of controls to help prevent issues from known and unknown SSRF vulnerabilities.
What one can achieve with blind server-side request forgery depends heavily on the context of the vulnerability. Port scanning (XSPA) and hitting unauthenticated HTTP endpoints (e.g. /shutdown :P) are possibly the most obvious things you can achieve, however, from my personal experience as a bug bounty hunter, people will attempt to chain blind SSRF with other issues in order to escalate the severity and exploitability as seen in -from-blind-SSRF-to-RCE-with-Hashicorp-Consul.html.
The approach highlighted here differs from a Blind SSRF exploit. A blind SSRF occurs when an application's backend receives an HTTP request but the request is not sent to the frontend of the application.
Affected versions of Atlassian Confluence Server allow remote attackers to manipulate the content of internal network resources via a blind Server-Side Request Forgery (SSRF) vulnerability in the widgetconnector plugin.
Port scanning with blind SSRF works the same way. If the server returns a 200 status code for some ports and 500 for others, the ports that yield a 200 status code might be the open ports on the machine.
All four SSRF vulnerabilities we discovered belong to the third category which is Full SSRF (aka Non-blind SSRF. To give you an idea of how exploitable these vulnerabilities are, Non-blind SSRF flaws can be leveraged in many different ways, including SSRF via XXE, SSRF via SVG file, SSRF via Proxy, SSRF via PDF Rendering, SSRF via vulnerable query string in the URL and many more.
The two above examples are examples of basic or non-blind SSRF attacks. What that means is that the attacker is getting feedback from the server in the form of visible data. In our first example, the attacker gains access to the /admin directory. In the second example, they access the /etc/passwd file.
WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database.WordPress is affected by an unauthenticated blind SSRF in the pingback feature. Because of a TOCTOU race condition between the validation checks and the HTTP request, attackers can reach internal hosts that are explicitly forbidden.Affected Versions:WordPress versions 6.1.1 and priorQID Detection Logic:This QID sends an HTTP GET request and checks for vulnerable version of WordPress running on the target application.
Successful exploitation of these vulnerabilities could allow an attacker to execute requests to systems in the internal network to reveal sensitive information of the server with blind Server Side Request Forgery (SSRF) via DNS Rebinding.
\n\nWordPress is affected by an unauthenticated blind SSRF in the pingback feature. Because of a TOCTOU race condition between the validation checks and the HTTP request, attackers can reach internal hosts that are explicitly forbidden.\n\nAffected Versions:\nWordPress versions 6.1.1 and prior\n\nQID Detection Logic:\nThis QID sends an HTTP GET request and checks for vulnerable version of WordPress running on the target application.","solution":"Customers are advised to refer blog.sonarsource.com or WPScan security advisory ","consequence":"Successful exploitation of these vulnerabilities could allow an attacker to execute requests to systems in the internal network to reveal sensitive information of the server with blind Server Side Request Forgery (SSRF) via DNS Rebinding.\n","published":"Yes","date_insert":"2022-12-28","date_published":"2023-01-02","cve":["CVE-2022-3590"],"vendor_refs":[],"cvss_v2":"basescore":"7.8","temporalscore":"5.7","cvss_v3":"basescore":"5.9","temporalscore":"5","patches":[]} ))Array( [qid] => 154128 [title] => WordPress Unauthenticated Blind SSRF Via DNS Rebinding Vulnerability (CVE-2022-3590) [severity] => 3 [description] => WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database.WordPress is affected by an unauthenticated blind SSRF in the pingback feature. Because of a TOCTOU race condition between the validation checks and the HTTP request, attackers can reach internal hosts that are explicitly forbidden.Affected Versions:WordPress versions 6.1.1 and priorQID Detection Logic:This QID sends an HTTP GET request and checks for vulnerable version of WordPress running on the target application. [solution] => Customers are advised to refer blog.sonarsource.com or WPScan security advisory [consequence] => Successful exploitation of these vulnerabilities could allow an attacker to execute requests to systems in the internal network to reveal sensitive information of the server with blind Server Side Request Forgery (SSRF) via DNS Rebinding. [published] => Yes [date_insert] => 2022-12-28 [date_published] => 2023-01-02 [cve] => Array ( [0] => CVE-2022-3590 ) [vendor_refs] => Array ( ) [cvss_v2] => Array ( [basescore] => 7.8 [temporalscore] => 5.7 ) [cvss_v3] => Array ( [basescore] => 5.9 [temporalscore] => 5 ) [patches] => Array ( )) CVE.report 2023Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.
According to a recent post from Sonar, a serious blind server-side request forgery (SSRF) vulnerability affected the pingback implementation in WordPress. Exploiting the vulnerability allows an adversary to take down a target website via DDoS attacks.
If the software with the blind vulnerability is an open source tool, or the attacker in some other way is able to get a copy of the source code, they do not actually have to get any feedback from the system whether it worked or not.
The impact of blind vulnerabilities varies as it is more of a variant of existing vulnerability than its own category. There are SQL-injection and blind SQL-injection, XSS and blind-XSS, etc. So the impact varies depending on what kind of vulnerability that is of the type blind.
Having a vulnerability blind does not decrease the impact of it, but rather the risk of it being exploited, as it most likely harder to find. If data extraction is done through a time-based attack, it should also be easier to detect an active attack due to the increase in requests needed.
We use the Out-of-band method in our web application scanner to deliver more reliable results on blind vulnerabilities. Our test bed consists of 1500+ known vulnerability findings for the most common classes of vulnerabilities and also goes beyond the OWASP Top 10. Detectify web application scanner is free to try and you can start your 14-day free trial today.
When a port was not available I got a 500 error from the server, ok so I got a blind SSRF but I wanted more than a simple port scan! Then I remembered that at one point in the site when you want to access a document the URL is of the type RESSOURCE_ID.
Server Side Request Forgery(SSRF) is an interesting attack which involves forcing a target server to send HTTP requests to a specified host on your behalf. The HTTP response will then be shown to the attacker, unless your dealing with blind SSRF. If you get SSRF on a server hosted on Amazon Web Services(AWS) you can turn this finding into a critical severity issue.
SSRF is used to force an application to make HTTP requests while showing the response to the attacker. Note the attacker must be able to view the response other wise it is considered blind SSRF which wont work here.
A blind SSRF is a bit harder to track since nothing is sent from the server to the hacker. In this case, an SSRF request is made, and instead of sending back data, the server gives permission for the bad actor to make changes to the server itself. From there, the hacker can modify the website or web application, crash it (an action typically called a denial of service (DoS) attack), or take another detrimental action that disrupts the effective functioning of the company.
Similar to a blind SSRF, this type of attack does not return much data, but the data it does return can be helpful for attackers to later use to plan a more in-depth attack. It could include data points like error messages or response times. 2ff7e9595c