Iframe injection to SSRF

Aditya Chauhan
2 min readFeb 18, 2023

In this blog post, we will explore how iframe injection can be used to exploit Server-Side Request Forgery (SSRF) vulnerabilities. We will also provide an example of how iframe injection can be used to conduct an SSRF attack.

Iframe injection is a technique where an attacker injects an iframe element into a web page to request resources from other domains. When a user accesses the web page containing the iframe element, the user’s browser sends a request to the specified URL. If the web application is vulnerable to SSRF, the attacker can control the URL and direct the request to an internal server or a vulnerable external system.

To understand how iframe injection can be used to exploit SSRF vulnerabilities, let’s consider an example. Suppose you are an attacker attempting to exploit an e-commerce website. The website allows users to view product images on a different domain. The URL of the product image is constructed based on the user’s input.

Here’s an example of a vulnerable URL construction:

<img src="http://product-images.example.com/products/123">

An attacker can use this vulnerability to conduct an SSRF attack by injecting an iframe element into the web page. Here’s an example of an iframe element that an attacker can inject into the web page:

<iframe src="http://attacker.com/?url=http://product-images.example.com/products/123"></iframe>

When a user accesses the web page containing this iframe element, the user’s browser sends a request to the attacker’s website with the URL parameter set to the vulnerable URL. The attacker’s website then sends a request to the vulnerable URL, and the response is returned to the user’s browser.

However, the attacker can modify the URL parameter to redirect the request to an internal server or a vulnerable external system. For example, the attacker can modify the URL parameter to:

<iframe src="http://attacker.com/?url=http://192.168.1.100/admin-panel"></iframe>

In this case, the request is sent to an internal server’s admin panel instead of the intended product image. This allows the attacker to access the internal server’s admin panel and potentially compromise the entire system.

To protect your web application from iframe injection and SSRF attacks, you should implement input validation and sanitization to prevent attackers from injecting malicious input into requests. Additionally, ensure that your web application only allows requests to authorized external systems and restrict access to internal systems and services to prevent unauthorized access.

In conclusion, iframe injection can be used to exploit SSRF vulnerabilities in web applications. Attackers can use it to bypass firewalls, access internal systems, and launch further attacks. To prevent iframe injection and SSRF attacks, it is essential to implement strong security measures, including input validation and sanitization, access control, and a web application firewall (WAF). By taking these measures, you can help protect your web application and its users from malicious attacks.

--

--

Aditya Chauhan

ISO 27001 LA | VAPT | Synack Red Teamer | HTB Dante | HTB RASTA | HTB Cybernetics | HTB Offshore | HTB APTLabs | Cyber Security Analyst | Security Researcher