What is Server-Side Request Forgery (SSRF)?
What is Server-Side Request Forgery (SSRF)?
Server-Side Request Forgery which is also known as SSRF arises when an attacker can enforce the server to make DNS or HTTP request to an attacker-controlled server. When the server makes DNS or HTTP call to the user-supplied URL, it may be vulnerable to SSRF vulnerability.
How does an SSRF work?
When the server uses unsanitized user input to make an HTTP or DNS request, an attacker can provide the URL to the server's internal resources. Server's internal resources are restricted for the external world but the server can access these resources. An attacker exploits this configuration by providing URL and path of the internal resources to gain access to them.
What attacker can do by exploiting SSRF?
After successful exploitation, An attacker can access the internal sensitive files of the server by providing the path of that resource. An attacker can also perform the port scanning of the server and its internal network. In several cases SSSRF can also lead to severe attacks like RCE.
Examples:
Let's consider a basic example where an application allows the user to set a profile picture from the URL.
https://vulnerablesite.com/update/profilepicture?URL=https://www.xyx.com/images/1.png
https://vulnerablesite.com/update/profilepicture?URL=https://www.xyx.com/images/1.png
In the above request, the server will make an HTTP call to get the image 1.png and save it as a profile picture of the user. An attacker can exploit it in several ways.
In the above request, the server will make an HTTP call to get the image 1.png and save it as a profile picture of the user. An attacker can exploit it in several ways.
Example 1: Performing Port Scanning via SSRF
Example 1: Performing Port Scanning via SSRF
An attacker can provide the URL of the internal networks to perform post scanning as shown in the example below:
https://vulnerablesite.com/update/profilepicture?URL=http://localhost
https://vulnerablesite.com/update/profilepicture?URL=http://192.168.1.1:80
https://vulnerablesite.com/update/profilepicture?URL=http://192.168.1.1:8080
https://vulnerablesite.com/update/profilepicture?URL=http://127.0.0.1
https://vulnerablesite.com/update/profilepicture?URL=http://localhost
https://vulnerablesite.com/update/profilepicture?URL=http://192.168.1.1:80
https://vulnerablesite.com/update/profilepicture?URL=http://192.168.1.1:8080
https://vulnerablesite.com/update/profilepicture?URL=http://127.0.0.1
https://vulnerablesite.com/update/profilepicture?URL=http://192.168.1.1:80
https://vulnerablesite.com/update/profilepicture?URL=http://192.168.1.1:8080
https://vulnerablesite.com/update/profilepicture?URL=http://127.0.0.1
As we can see in the above examples, the server will make calls to the payload supplied by the attacker like http://localhost. Generally, these URLs are blocked for the external world but the server can access these internal resources. If an attacker gets an error like not found for http://192.168.1.1:8080 and success on http://192.168.1.1:80, an attacker can assume that 80 is opened and 8080 port is closed on the host 192.168.1.1.
As we can see in the above examples, the server will make calls to the payload supplied by the attacker like http://localhost. Generally, these URLs are blocked for the external world but the server can access these internal resources. If an attacker gets an error like not found for http://192.168.1.1:8080 and success on http://192.168.1.1:80, an attacker can assume that 80 is opened and 8080 port is closed on the host 192.168.1.1.
Example 2: Accessing internal files of the server.
An attacker can also try for the other protocols as well like FTP or file. An attacker can provide payload with file protocol as shown in the following example:
Example 2: Accessing internal files of the server.
An attacker can also try for the other protocols as well like FTP or file. An attacker can provide payload with file protocol as shown in the following example:
https://vulnerablesite.com/update/profilepicture?URL=file:///etc/passwd
https://vulnerablesite.com/update/profilepicture?URL=file:///etc/passwd
if the file protocol is supported, an attacker can retrieve the password file of the Linux file system.
How to prevent an SSRF?
A developer can use a proper validation structure, encoding and escaping to avoid most of the vulnerabilities including SSRF. But still whitelisting or blacklisting is the major step for the prevention of the SSRF.
if the file protocol is supported, an attacker can retrieve the password file of the Linux file system.
A developer can use a proper validation structure, encoding and escaping to avoid most of the vulnerabilities including SSRF. But still whitelisting or blacklisting is the major step for the prevention of the SSRF.
0 Comments