Server Side Request Forgery

Server-Side Request Forgery (SSRF)

Definition:

SSRF is an attack where an attacker can cause the server (typically a web application server) to make a network request to an arbitrary endpoint of the attacker's choosing. This allows attackers to interact with internal services, potentially bypassing IP whitelisting, and can lead to data exfiltration, Denial of Service (DoS), or even Remote Code Execution (RCE) in some specific contexts.

Key Points:

  • SSRF allows attackers to make requests from the server to other internal resources, potentially accessing sensitive data or functionality.

  • Commonly targeted at internal networks shielded by firewalls, which the attacker would not have been able to access directly.

Attack Scenario:

  1. A web application allows users to fetch a URL (e.g., to render an image from the web or retrieve web page content).

  2. Instead of providing a legitimate URL, the attacker provides a URL pointing to internal resources (e.g., internal AWS metadata endpoint, databases, or admin panels).

Example Attack:

In a feature where users can view a webpage's content:

bash
http://example.com/fetch?url=http://internal-db.example.com/secrets

Here, the attacker is trying to get the server to fetch data from an internal database.

Common Targets:

  • Internal databases or data stores.

  • Cloud service metadata endpoints (like AWS EC2 metadata service).

  • Internal administrative interfaces.

  • Other internal services or APIs.

Mitigation:

  1. Block Private IPs:

    • Implement a denylist to prevent known internal IP ranges from being queried. This includes loopback addresses (e.g., 127.0.0.1) and other private IP ranges.

  2. Use a Safe Fetching Library:

    • Use libraries that do not follow redirects blindly, to prevent attackers from using open redirects as a bypass.

  3. Allowlist URLs:

    • Only allow certain known URLs or domains to be fetched.

  4. Use a Proxy:

    • Use an outbound proxy to make sure that the server can only connect to valid, known good external servers. This also makes monitoring easier.

  5. Limit Functionality:

    • If a feature isn't strictly necessary, consider removing it. The fewer features that allow fetching or interacting with external servers, the smaller the attack surface.

  6. Timeouts:

    • Implement strict timeouts for the fetched requests to prevent DoS attacks on internal services.

  7. Response Size Limit:

    • Limit the size of the response to prevent large data exfiltration.

  8. Monitoring and Logging:

    • Monitor for and log unexpected and failed fetches. An uptick might indicate an attacker is probing the network.

Detection:

  1. Manual Testing:

    • Test input fields and parameters that accept URLs or make external fetches.

    • Use payloads targeting localhost or private IP ranges and see if they trigger connections.

  2. Automated Tools:

    • Scanners like Burp Suite and OWASP ZAP can help detect SSRF vulnerabilities, but manual testing often catches more nuanced vulnerabilities.

Miscellaneous Notes:

  • With the rise of cloud services, SSRF can be especially dangerous. For instance, in AWS, the EC2 metadata service can potentially give an attacker IAM role credentials.

  • Always validate and sanitize user input, especially when that input might be used in network requests or to fetch data from external services.

Conclusion:

SSRF is a powerful attack that can provide an attacker with access to internal resources not usually exposed to the internet. It's crucial to understand the functionality of your application and its potential interactions with other services, both internal and external. Regularly review and test to ensure potential vulnerabilities are not present, especially in features allowing users to supply or fetch external resources.

PreviousPrototype PollutionNextServer Side Template Injection

Last updated