Server-Side Request Forgery 😈

What are SSRFs, how do they work, how do they harm

Server-Side Request Forgery (SSRF) is a type of web application security vulnerability that allows attackers to manipulate server-side requests, potentially gaining unauthorized access to internal resources and sensitive data. As organizations increasingly rely on web applications for business-critical operations, understanding and mitigating the risk posed by SSRF has become increasingly important.

In this article, we will explore the mechanics of SSRF and its potential impact on affected systems. We will also discuss best practices and strategies for identifying and preventing SSRF vulnerabilities, equipping you with the knowledge and tools necessary to safeguard your web applications from this threat.

Why should I care?

• Capital One Data Breach (2019): A hacker exploited an SSRF vulnerability in a misconfigured AWS Web Application Firewall to gain access to sensitive data of over 100 million Capital One customers. The attacker was able to access Social Security numbers, bank account numbers, and other personal information (source).
• Grafana SSRF Vulnerability (2016 — 2020): An SSRF vulnerability was discovered in Grafana, an open-source analytics and monitoring platform. Attackers could exploit the vulnerability to access internal networks and steal sensitive data. Grafana released a security update to fix the issue.
• GitLab SSRF Vulnerability (2021): GitLab, a popular web-based DevOps platform, disclosed an SSRF vulnerability that exposed orgs’ internal servers.
• Microsoft Exchange Server (2023): The mail server allows attaching files not only from your local disk but also from an URL. This could be used for arbitrary code execution.

How are SSRF attacks executed?

Server-Side Request Forgery (SSRF) attacks are executed by exploiting vulnerabilities in a web application that allow an attacker to forge server-side requests.

Typically, the attacker manipulates user input or API calls to create malicious requests, which are then sent by the server. The server has code that executes requests on behalf of the user, but the type of request or the target is changed by the attacker. These requests executed by the server can bypass security measures, such as firewalls or IP whitelisting, as they originate from the vulnerable server itself. Consequently, attackers can access restricted resources, read sensitive files, or interact with internal services that should not be exposed to external users.

In some cases, SSRF attacks can even lead to remote code execution or lateral movement within the target organization’s network.

Example Vulnerability and Attack

Think about a mail service like Microsoft Exchange or Gmail. You can upload attachments, but it’s annoying that you have to download an image and upload it again if you want to share it via e-mail. It would be more convenient if you could just click on a button to add the image given by the URL.

If the code allows arbitrary file paths, the user could cat the path to file:///etc/passwd to get the web servers local users and password hashes. Once the local users are known,file:///home/user/.ssh/id_rsa can be used to get the private SSH key. /home/user/.bash_history might reveal interesting services that can be accessed with that key.

How can I prevent SSRF attacks?

Preventing Server-Side Request Forgery (SSRF) attacks involves a combination of secure coding practices and input validation.

First, ensure that your web application follows the principle of least privilege, meaning it only has the necessary permissions and access to required resources.

Next, perform strict input validation and sanitization on all user-supplied data to prevent malicious payloads from being injected into server-side requests. Whitelisting allowed URLs, protocols, and IP addresses can help restrict outbound requests to trusted sources only.

Other secure coding practices that can help are security audits, code reviews, and educating your development team about SSRF attacks. The main reason to fall for this attack is not being aware that it exists.

What’s next?

In this series about application security (AppSec) we already explained some of the techniques of the attackers 😈 and also the techniques of the defenders 😇:

• Part 1: SQL Injections 😈🐝
• Part 2: Don’t leak Secrets 😇
• Part 3: Cross-Site Scripting (XSS) 😈🐝
• Part 4: Password Hashing 😇
• Part 5: ZIP Bombs 😈
• Part 6: CAPTCHA 😇
• Part 7: Email Spoofing 😈
• Part 8: Software Composition Analysis (SCA) 😇
• Part 9: XXE attacks 😈🐝
• Part 10: Effective Access Control 😇
• Part 11: DOS via a Billion Laughs 😈
• Part 12: Full Disk Encryption 😇
• Part 13: Insecure Deserialization 😈
• Part 14: Docker Security 😇
• Part 15: Credential Stuffing 😈🐝
• Part 16: Multi-Factor Authentication (MFA/2FA) 😇
• Part 17: ReDoS 😈
• Part 18: Secure and Private Instant Messaging 😇
• Part 19: Cryptojacking 😈
• Part 20: Backups 😇
• Part 21: CSRF 😈
• Part 22: Cookies 😇
• Part 23: Clipboard Hijacking 😈
• Part 24: Certificates 😇
• Part 25: Server-Side Request Forgery (SSRF) 😈
• Part 26: Content Security Policy (CSP) 😇
• Part 27: Race Condition Attacks in Blockchains 😈
• Part 28: Network Separation 😇
• Part 29: Social Engineering (including Phishing) 😈
• Part 30: Virtual Private Networks (VPNs) 😇
• Part 31: Scareware
• Part 32: JSON Web Tokens (JWT) 😇
• Part 33: Clickjacking 😈
• Part 34: Single-Sign-On 😇
• Part 35: Man-in-the-Middle (MITM) Attacks 😈
• Part 36: Mobile Device Management (MDM) 😇
• Part 37: Insider Threats 😈
• Part 38: Data Loss Prevention (DLP) 😇
• Part 39: Subdomain Takeover 😈
• Part 40: Web Application Firewalls (WAF) 😇
• Part 41: Brute Force Attacks 😈
• Part 42: Security Information and Event Management (SIEM) 😇
• Part 43: Cache Poisoning 😈
• Part 44: HTTPS and TLS Best Practices 😇
• Part 45: Path Traversal Attacks 😈
• Part 46: Application Security Testing (AST) 😇
• Part 47: DNS Rebinding 😈
• Part 48: Zero Trust Architecture 😇
• Part 49: Watering Hole Attacks 😈
• Part 50: Identity and Access Management (IAM) 😇

Let me know if you are interested in more articles around AppSec / InfoSec!

I love writing about software development and technology 🤩 Don’t miss updates: Get my free email newsletter 📧 or sign up for Medium ✍️ if you haven’t done it yet — both encourage me to write more 🤗

👋 If you find this helpful, please click the clap 👏 button below a few times to show your support for the author 👇

🚀Join FAUN Developer Community & Get Similar Stories in your Inbox Each Week