>myctrl.tools
Preferences
Under active development Content is continuously updated and improved

API7Server Side Request Forgery

>Control Description

Server-Side Request Forgery (SSRF) flaws occur when an API is fetching a remote resource without validating the user-supplied URL. It allows an attacker to coerce the application to send a crafted request to an unexpected destination, even when protected by a firewall or a VPN. Modern concepts in application development make SSRF more common and more dangerous. More common because of webhooks, file fetching from URLs, custom SSO, and URL previews. More dangerous because modern technologies like cloud providers, Kubernetes, and Docker expose management and control channels over HTTP on predictable, well-known paths. Those channels are an easy target for an SSRF attack.

>Prevention & Mitigation Strategies

  1. 1.Isolate the resource fetching mechanism in your network: usually these features are aimed at retrieving remote resources and not internal ones.
  2. 2.Whenever possible, use allow lists for remote origins that users are expected to download resources from (e.g. Google Drive, Gravatar).
  3. 3.Use allow lists for URL schemes and ports.
  4. 4.Use allow lists for accepted media types for a given functionality.
  5. 5.Disable HTTP redirections.
  6. 6.Use a well-tested and maintained URL parser to avoid issues caused by URL parsing inconsistencies.
  7. 7.Validate and sanitize all client-supplied input data.
  8. 8.Do not send raw responses to clients.

>Attack Scenarios

#1Internal port scanning via profile picture URL

An attacker exploits a social network that allows users to upload profile pictures by providing a URL. The attacker provides a URL targeting an internal service (e.g. http://localhost:8080). By observing the response time differences, the attacker can determine which internal ports are open, effectively performing an internal port scan from the server.

#2Cloud metadata service credential theft

A security product generates events by receiving inputs from networks. For each event, several enrichments are performed by fetching information from internal services. An attacker sends a crafted event to the product with a payload URL pointing to the cloud instance metadata service (http://169.254.169.254/latest/meta-data/iam/security-credentials/). The API blindly fetches the URL and returns the sensitive cloud credentials to the attacker.

>Related CWEs

CWE-918

>References

Ask AI

Configure your API key to use AI features.