Server Side Request Forgery SSRF

#nullchapter #owasp #ssrf #websecurity

Introduction

Server Side Request Forgery, popularly known as SSRF, is among the Top 10 OWASP vulnerabilities. It is a Web security vulnerability that allows the attacker to access only the resources authorized by internal organization. The attacker uses a URL and submits it to the server in order to read and access the resources. In some cases, the attackers force the server to connect to third-party external systems which can leak sensitive information and affect the confidentiality of the data.

How does an SSRF attack affect?

An attacker can read or edit internal resources by abusing server functionality in an SSRF attack. By carefully choosing the URLs, the attacker may be able to read server configuration information, connect to internal services like HTTP-enabled databases, or send post requests to internal services that are not intended to be exposed.
Additionally, the attacker can avoid input validation by importing untrusted data into code that only expects to read data from reliable sources.
Whenever an SSRF exploit establishes a connection with an external third-party system, harmful onward assaults could ensue. these can seem to be from the company that is hosting the application that is vulnerable.

Types of SSRF attacks

Attacking the Server In this type of attack, the intruder tries to send an HTTP request from the application to the server and gets the request back to the application using a loopback network interface. This attack is done by supplying a URL that contains a hostname like localhost or **127.0.0.1, a reserved IP address that points to the loopback adapter.

Consider an application that sells groceries. In order to check the quantity of eggs present in the stock, the application makes a request to server as below:

POST /product/stock HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 118

stockApi=http://stock.myGroceries.net:8080/product/stock/check%3FproductId%3D6%26storeId%3D1

The above request causes the server to respond with the quantity of particular item. So, the attacker tries to modify the URL of above request as below:

POST /product/stock HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 118

stockApi=http://localhost/admin

The server fetches the contents of the /admin URL and returns it to the attacker and he gets all the administrative access to the application.

Attacking the File System
The attacker may access the files present in the server by updating a certain URL with file:// URLs.
Attacking the Cloud Server
Some cloud services provide REST interface on certain IP addresses such as 169.254.169.254 that contain some sensitive information such as the cloud meta data, configurations and sometimes authentication keys.

Prevention of SSRF

Input Validation and Sanitization
Strict input validation guidelines can aid in preventing harmful payloads from being injected into requests by attackers. Keeping user inputs clean by eliminating any potentially dangerous characters or patterns will help lower the likelihood of SSRF assaults.
URL parsers and Access Control Lists
Using a safe URL parser can aid in preventing attackers from using URL manipulation to get access to internal resources that are restricted. Conversely, access controls guarantee that sensitive data and resources can only be accessed by authorized individuals and systems.
Frequent Monitoring and Logging
In order to identify and address SSRF threats, monitoring and logging are crucial. Real-time monitoring and logging systems help you see odd trends or other indicators of SSRF assaults so you may take prompt action to lessen the threat. Thorough logging also helps with post-event analysis and enhances the overall security posture of your company.

Conclusion

So, this is a basic overview of Server Side Request Forgery attacks. You can learn more about this attack at the below website and also have a look at the YouTube video attached below.

owasp.org