Elevate Your SSRF Game: Weaponize Internal DNS Records to Expose Hidden Endpoints
2024-12-14 , Clappy Monkey Track

Server-Side Request Forgery (SSRF) vulnerabilities offer a range of attack possibilities, but their impact often depends on the nature of the vulnerability. While some SSRFs directly expose data from requested URLs, blind SSRFs typically result in more limited insights, such as basic reconnaissance or port scanning.

In this talk, I’ll unveil a powerful technique for amplifying the impact of blind SSRFs by leveraging internal DNS records discovered through known components. This innovative approach focuses on effectively pivoting from external SSRF attacks—where access is constrained—to exploiting internal endpoints with minimal fuzzing or guessing.

I will demonstrate practical methods for identifying and utilizing internal DNS records, which can be revealed through components such as Kubernetes services, microservices, or internal APIs. By uncovering these internal DNS entries, you can bypass traditional application mitigations and firewall rules, significantly enhancing your SSRF attacks.

Through real-world examples and hands-on demonstrations, you'll learn how to transition from limited external SSRF access to effectively exploiting internal endpoints, revealing the true potential of blind SSRFs. Join me to discover how harnessing internal DNS records can transform the effectiveness and impact of your SSRF findings, making them more actionable and insightful.


In this talk, we will explore advanced techniques for leveraging Server-Side Request Forgery (SSRF) vulnerabilities by focusing on the discovery and exploitation of internal DNS records. We’ll start with a thorough introduction to SSRF, including its types—Blind, Semi-Blind, and Direct—demonstrated through clear examples and scenarios.

We’ll review traditional SSRF capabilities such as port scanning and denial of service and evaluate the effectiveness of common mitigation strategies. The core of this presentation will introduce a novel approach to amplifying SSRF attacks by discovering and utilizing internal DNS records exposed during your research.

You’ll learn how to identify these internal DNS records from various components such as Kubernetes services, proxy servers, and more. This includes strategies for effectively using these records to pivot from external SSRF attacks to exploiting internal endpoints. We’ll focus on techniques for minimal fuzzing or guessing, showing how exposed internal DNS records can be leveraged to bypass application mitigations and firewall rules.

Through real-world case studies and practical demonstrations, you will gain insights into elevating your impact with Blind and Semi-Blind SSRF vulnerabilities by harnessing internal DNS records. This innovative approach will empower you to enhance your security assessments and uncover hidden opportunities within your environment.

Join us to discover how discovering and exploiting internal DNS records can significantly elevate the effectiveness and impact of your SSRF attacks, offering advanced techniques that will help you in your next SSRF primitive research.

With a lifelong passion for security research, Guy has been deeply involved in both developing and testing applications from a young age. Having played diverse roles in both defensive and offensive security, he leverages this dual expertise to advance vulnerability discovery, detection, and mitigation across various sectors. Specializing in web applications and cloud services, he is dedicated to addressing critical security issues on a global scale. Guy is currently a researcher at the MSRC V&M group.