1
00:00:01,600 --> 00:00:04,240
Hello, everyone, and welcome to this video.

2
00:00:05,200 --> 00:00:12,790
So in this video, we are going to discuss about SRF, which is also known as Silverside Request for

3
00:00:12,790 --> 00:00:13,140
forgery.

4
00:00:13,990 --> 00:00:21,100
First, you should know this, that a very common vulnerability, which is identified in a lot of bug

5
00:00:21,100 --> 00:00:27,930
bounty programs on these crowdsourced platforms like Backroad Integrity, Sinak or one.

6
00:00:28,720 --> 00:00:35,710
Also, this is a type of vulnerability which is also identified in a lot of private programs, which

7
00:00:35,710 --> 00:00:36,730
you should not miss.

8
00:00:37,420 --> 00:00:46,600
So let's quickly jump into what of SRF and understand what exactly is this vulnerability, which is

9
00:00:46,600 --> 00:00:50,150
the class and attack vector for this venerability.

10
00:00:50,650 --> 00:00:57,790
So it is a Web based bug which allows the attackers to induce server side applications to make arbitrary

11
00:00:58,000 --> 00:01:00,280
SCDP request to any domain.

12
00:01:01,330 --> 00:01:08,170
Attack, it might also cause the server to make a connection back to himself or to any other Web services

13
00:01:08,170 --> 00:01:14,530
within the organization's infrastructure or to any third party domains or systems as well.

14
00:01:15,310 --> 00:01:24,490
Now, we have understood till now that SRF basically includes inducing some HGP request to ourselves

15
00:01:24,790 --> 00:01:30,190
or within the organization, to some other Web based services or any third party domains.

16
00:01:30,520 --> 00:01:31,090
All right.

17
00:01:31,540 --> 00:01:40,420
So let's now understand and jump into how all of SRF and understand the principle of how it actually

18
00:01:40,420 --> 00:01:41,450
functions or work.

19
00:01:42,370 --> 00:01:48,880
So for this, I have demonstrated a very, very simple principle example that will make everything clear

20
00:01:48,880 --> 00:01:52,270
for you to understand the working of this attack.

21
00:01:53,050 --> 00:02:02,080
So the first thing that happens is any attacker, which you can see over here, sends a request to example

22
00:02:02,080 --> 00:02:02,650
dot com.

23
00:02:02,830 --> 00:02:08,620
Remember, in this case, we have considered example, dot com to be a vulnerable Web application.

24
00:02:09,310 --> 00:02:14,830
So the attacker is sending a request, which is a get request to example dot com, which is a host.

25
00:02:15,100 --> 00:02:19,060
And that hacker says, I want to reach Google dot com through you.

26
00:02:19,630 --> 00:02:29,110
So the server sends a request to Google dot com and then the request is finally transferred or sent

27
00:02:29,320 --> 00:02:34,480
to Google dot com server as against the request that has been sent is a get request.

28
00:02:34,810 --> 00:02:36,710
And the host is Google dot com this time.

29
00:02:37,210 --> 00:02:46,570
So basically, the attacker has induced the action of fetching a resource from a third party or attacker

30
00:02:46,570 --> 00:02:51,310
controlled domain through the vulnerable web application, which is an example dot com.

31
00:02:51,880 --> 00:03:01,180
Now the Google dot com or the attacker control dot com or a Web application server may send a response

32
00:03:01,390 --> 00:03:03,970
from it back to Google dot com.

33
00:03:04,210 --> 00:03:10,540
And the example dot com will send a response to the attacker dot com.

34
00:03:10,900 --> 00:03:13,810
And this is how SRF attack works.

35
00:03:14,470 --> 00:03:20,410
Now, to sum up everything in very, very simple words, you should understand that an attacker can

36
00:03:20,590 --> 00:03:28,750
make any arbitrary request to any third party domain from the one web application and get the response

37
00:03:28,750 --> 00:03:34,320
of those particular requests that has been made is the main principle of SRF.

38
00:03:35,490 --> 00:03:42,630
Also, you should keep in mind that the attacker may not induce any request to third party domain and

39
00:03:42,630 --> 00:03:50,550
may only induce request to himself or back to his server, which he is controlling.

40
00:03:51,660 --> 00:04:00,660
The attacker may also scan the internal network and get the responses of that scans onto his own server

41
00:04:00,660 --> 00:04:01,110
as well.

42
00:04:02,630 --> 00:04:09,200
All right, so what does the impact of SARS, so now you must have understood that the attacker can

43
00:04:09,200 --> 00:04:17,420
get a lot of sensitive information from the server back to him onto his third party domain or any arbitrary

44
00:04:17,420 --> 00:04:17,840
sort.

45
00:04:19,480 --> 00:04:24,320
So the attacker can get unauthorized actions onto the application.

46
00:04:24,850 --> 00:04:32,920
The attacker can access the data within the organization or metadata for cloud instances, as nowadays

47
00:04:32,920 --> 00:04:39,310
a lot of other application providers are shifting to cloud instances like Google.

48
00:04:39,670 --> 00:04:42,340
A.W. is to give some example.

49
00:04:43,520 --> 00:04:49,940
Now, you may also get a lot of sensitive files from those metadata of the cloud instances, which we

50
00:04:49,940 --> 00:04:51,050
are going to see ahead.

51
00:04:51,890 --> 00:04:58,010
You can also make our internal report scan of the target web applications organization and identify

52
00:04:58,010 --> 00:05:02,140
if there is any service which is running onto the server.

53
00:05:02,720 --> 00:05:10,880
If the service is one level, then you can also able to exploit that service and you can achieve RC.

54
00:05:12,340 --> 00:05:18,430
You can also know about the internal apps which are running behind a reverse proxy after a successful

55
00:05:18,430 --> 00:05:20,980
identification of SRF attack.

56
00:05:22,990 --> 00:05:31,030
So you're is a very, very simple example, which you can understand for how you can utilize SRF to

57
00:05:31,030 --> 00:05:37,540
scan indranil services, as you can see, this is the attacker under the most top left.

58
00:05:38,260 --> 00:05:46,900
And you can see there is a firewall which only allows to request, which is through put it and put four

59
00:05:46,900 --> 00:05:47,400
for three.

60
00:05:48,190 --> 00:05:52,870
Now, the attacker identifies as a sort of based vulnerability into the Web application.

61
00:05:53,170 --> 00:06:00,490
He is also able to scan all of the ports maybe which are running on ElasticSearch Kibwana, Memcache

62
00:06:00,640 --> 00:06:03,910
Redish or Wango TV on other ports as well.

63
00:06:04,900 --> 00:06:12,510
So this is how the attacker is able to scan internal services by only going through port for 443, an

64
00:06:12,520 --> 00:06:19,610
ID of a successful SRF into the application and then further scan all the internal services.

65
00:06:20,500 --> 00:06:26,470
So I hope you guys understood in the upcoming videos we are going to see the basics of SRF and then

66
00:06:26,470 --> 00:06:32,830
we'll move on to advance and how you can bypass Estacada of protection on multiple Web applications

67
00:06:33,070 --> 00:06:35,000
and how to do for exploitation.

68
00:06:35,680 --> 00:06:36,880
I hope you guys understood.

69
00:06:37,090 --> 00:06:37,630
Thank you.