OWASP Top Ten – Server Side Request Forgery (SSRF)
27 March, 2023
What is an SSRF?
The next entry in our OWASP Top Ten Series covers Server Side Request Forgeries. Server Side Request Forgery (SSRF) is a security vulnerability that occurs when an attacker is able to make HTTP requests to an internal or external system from a vulnerable server, effectively using the server as a proxy. This can expose sensitive data, internal resources, or potentially allow the attacker to perform malicious actions on the target system.
To protect your website from SSRF attacks, consider implementing the following security measures:
Input validation: Validate user-supplied input to ensure it meets the expected format and content. Use allowlists (a list of approved inputs) rather than denylists (a list of prohibited inputs) to minimize the risk of unexpected input being processed.
Blocklist private IP ranges: Block internal IP addresses and domain names that could be used to access internal resources, such as private IP ranges or localhost addresses.
URL parsing and sanitization: Parse and sanitize URLs to remove potentially dangerous or unnecessary components. For example, remove any embedded credentials or strip unexpected protocols.
Use an allowlist for outgoing connections: Limit outgoing connections to only trusted and required domains or IP addresses. This can help prevent attackers from using your server to access unauthorized resources.
OWASP Top Ten – Server Side Request Forgery In the Wild
Here are two examples of SSRF vulnerabilities with critical Common Vulnerabilities and Exposures (CVE) numbers:
CVE-2022-26135 – This is a fun SSRF in the Mobile Plugin for Jira. Read more about it here.
CVE-2022-41040 – This is a well known SSRF in Microsoft Exchange. This one is a good example of how an SSRF can be chained for critical impact.
Both of these examples highlight the potential impact of SSRF vulnerabilities, as they can allow an attacker to gain unauthorized access to sensitive information or even execute arbitrary code. It’s essential to keep software up-to-date and apply security patches as they become available to mitigate the risk of such vulnerabilities.
Source code review and penetration testing are two important techniques that can help detect and prevent Server Side Request Forgery (SSRF) vulnerabilities in an application.
Source code review:
A source code review is the process of examining an application’s source code to identify potential security vulnerabilities, coding issues, and adherence to best practices. In the context of SSRF, a source code review can help detect vulnerabilities by:
Analyzing how the application handles user input and whether it properly validates and sanitizes the input before using it in server-side requests.
Identifying any server-side components or functions that make network requests, and examining if they properly restrict the use of URLs, IP addresses, or domains.
Ensuring that the application follows security best practices, such as least privilege principle, proper error handling, and secure coding techniques.
Penetration testing, also known as ethical hacking or pen testing, is the process of simulating real-world attacks on an application or system to identify vulnerabilities and weaknesses. For SSRF vulnerabilities, penetration testing can help detect issues by:
Performing targeted tests on areas of the application where user input is used to make server-side requests.
Attempting to use crafted input, such as manipulated URLs or IP addresses, to access internal resources, bypass validation, or gain unauthorized access to restricted systems.
Testing the application’s defense mechanisms, such as input validation.
As we can see, SSRFs can be very impactful. If you’re a penetration tester or bug bounty hunter, you can show heavy impact with them. Want to see some more SSRF? Check out the links below. And as always, reach out to Brackish Security if you want to Make the Bad Guys Salty!