17 Jan, 2023

SSRF (Server-Side Request Forgery)

ssrf

Vulnerability Assessment as a Service (VAaaS)

Tests systems and applications for vulnerabilities to address weaknesses.

SSRF stands for Server-Side Request Forgery, it is a type of vulnerability that allows an attacker to send a crafted request from a vulnerable web application to an external server. The application may be tricked into sending malicious requests to internal systems, which could lead to sensitive data exposure or other security issues.

In simple terms, SSRF is a vulnerability that allows an attacker to send arbitrary HTTP requests from a server, which could be used to bypass firewalls, access internal networks, and steal sensitive information.

SSRF is a powerful vulnerability that can have serious consequences if exploited. It allows an attacker to circumvent security controls and access sensitive data or internal systems, making it a high-priority issue for organizations to address. It’s important for developers to be aware of the risks associated with SSRF and take appropriate measures to protect their systems and data. Additionally, regular security assessments and penetration testing can help identify and remediate SSRF vulnerabilities before they can be exploited by attackers.

Server-Side Request Forgery (SSRF) is a type of web application vulnerability that allows an attacker to send arbitrary HTTP requests from a vulnerable web application to an external server. The application may be tricked into sending malicious requests to internal systems, which could lead to sensitive data exposure or other security issues.

SSRF vulnerabilities occur when an application is designed to forward a user-supplied URL or other input to an external server, without properly validating or sanitizing the input. This can allow an attacker to craft a request that causes the application to send a request to an internal system or resource that would otherwise be inaccessible. For example, an attacker could use SSRF to access internal network resources such as databases, file servers, or other sensitive systems.

One of the most common use cases of SSRF is when the application uses a user input to construct a URL to fetch a file or a webpage, and the attacker can manipulate the URL to make the application fetch an internal resource or a file on the local filesystem.

Another scenario is when the application uses a user-supplied input to initiate an HTTP request to a third-party server, and the attacker can manipulate the input to make the application initiate the request to a server that the attacker controls, in order to steal sensitive information or launch further attacks.

Example of vulnerable code on different programming languages:

Java:

				
					String url = request.getParameter("url");

URLConnection conn = new URL(url).openConnection(); conn.connect();
				
			

Here, the application is taking a user-supplied URL as a parameter and creating a new URL object with it, which could allow an attacker to initiate a request to an internal resource or a file on the local filesystem.

Python:

				
					import requests

url = request.args.get('url')

response = requests.get(url)
				
			

This Python script is using the requests library to make a GET request to a URL specified in the user input, which could allow an attacker to make a request to an internal resource or a file on the local filesystem.

PHP:

				
					$url = $_GET["url"];

$data = file\_get\_contents($url);
				
			

This PHP script is taking a user-supplied URL as a GET parameter and using the file_get_contents function to fetch the contents of the URL, which could allow an attacker to initiate a request to an internal resource or a file on the local filesystem.

Additionally here are a few examples of SSRF vulnerabilities in different web frameworks:

Ruby on Rails:

				
					def fetch_data

url = params[:url]

data = open(url).read

render json: data

end
				
			

In this example, the Ruby on Rails application is taking a user-supplied URL as a parameter and using the open method to read the contents of the URL, which could allow an attacker to initiate a request to an internal resource or a file on the local filesystem.

Django (Python):

				
					from django.shortcuts import render

import requests

def fetch_data(request):

url = request.GET.get("url")

data = requests.get(url).content

return render(request, 'data.html', {'data': data})
				
			

This Django application is using the python requests library to make a GET request to a URL specified in the user input, which could allow an attacker to make a request to an internal resource or a file on the local filesystem.

Express.js (Node.js)

				
					var express = require('express');

var app = express();

var request = require('request');

app.get('/fetch', function(req, res){

var url = req.query.url;

request(url, function (error, response, body) {

res.send(body);

});

});
				
			

This Node.js application is using the requests library to make a GET request to a URL specified in the user input, which could allow an attacker to make a request to an internal resource or a file on the local filesystem.

These examples are just a few of many ways that SSRF vulnerabilities can occur, and that different programming languages and frameworks may have their own ways of handling external requests that could be vulnerable to SSRF attacks. Additionally, it’s important to validate and sanitize user input, use whitelists to restrict the types of URLs that can be accessed, and implement security controls such as firewalls and intrusion detection systems to prevent SSRF vulnerabilities.

Privilege escalation techniques

Privilege escalation techniques can be used in conjunction with Server-Side Request Forgery (SSRF) vulnerabilities to gain further access or privilege on the affected system.

One popular privilege escalation technique that can be used with SSRF is known as “out-of-band” data exfiltration. This technique involves using an SSRF vulnerability to send a request to a server that the attacker controls, and then using that server to exfiltrate sensitive data from the vulnerable system. This can allow an attacker to bypass firewalls and other security controls that would otherwise prevent the exfiltration of data.

Another popular privilege escalation technique that can be used with SSRF is “internal port scanning”. This technique involves using an SSRF vulnerability to send requests to internal IP addresses or ports on the vulnerable system, in order to identify open ports and services that can be exploited for further access.

Another technique is “Bypassing access controls” this technique is used to gain access to internal resources that would be otherwise inaccessible to the attacker. For example, an attacker could use SSRF to access internal network resources such as databases, file servers, or other sensitive systems, if the application does not properly validate or sanitize the input.

It’s just a few examples of the various privilege escalation techniques that can be used in conjunction with SSRF vulnerabilities, and that new techniques are being developed all the time.

General methodology and checklist for testing for SSRF vulnerabilities

SSRF vulnerabilities typically involves the following steps:

1. Identify potential inputs that are used to construct URLs or initiate requests to external servers. These inputs may include GET or POST parameters, headers, and other user-supplied data.

2. Test each input by providing a variety of different URLs or IP addresses as the input, including internal resources, localhost, and other special values.

3. Observe the application’s behavior when provided with different inputs, and look for signs of SSRF vulnerabilities, such as the ability to access internal resources or exfiltrate data.

4. Document any vulnerabilities found, including the input that was used to trigger the vulnerability, the type of vulnerability, and the potential impact.

A checklist for testing for SSRF vulnerabilities:

1. Verify if the application makes HTTP requests to user-supplied URLs

2. Verify if the application makes HTTP requests to user-supplied IP addresses

3. Verify if the application makes HTTP requests with user-supplied headers and/or cookies

4. Verify if the application makes HTTP requests to internal resources or localhost

5. Check if the application has any protection mechanisms against SSRF attacks (e.g. whitelisting allowed URLs)

6. Test if it’s possible to use the SSRF vulnerability to gain access to internal resources or steal sensitive data

7. Test if it’s possible to use the SSRF vulnerability to perform out-of-band data exfiltration

8. Test if it’s possible to use the SSRF vulnerability to perform internal port scanning

9. Test if it’s possible to use the SSRF vulnerability to bypass access controls

10. Test if it’s possible to use the SSRF vulnerability to exploit other vulnerabilities

Tools set for exploiting SSRF vulnerabilities

Here is a list of popular software and tools for SSRF attacks and detection.

SSRF attack tools:

Burp Suite: A popular web application security testing tool that includes a feature for testing SSRF vulnerabilities. It allows you to manually craft and send HTTP requests, and can be used to test for and exploit SSRF vulnerabilities.

SSRFmap: A Python-based tool specifically designed to automate the testing of SSRF vulnerabilities. It can be used to test for and exploit SSRF vulnerabilities, and can also be used to perform out-of-band data exfiltration and internal port scanning.

SSRF-Scanner: A simple Python-based tool that can be used to detect SSRF vulnerabilities. It can be used to scan a target URL for potential SSRF vulnerabilities, and can also be used to perform out-of-band data exfiltration and internal port scanning.

SSRF Injector: A tool that can be used to test for and exploit SSRF vulnerabilities. It can be used to generate payloads for SSRF attacks and can also be used to perform out-of-band data exfiltration and internal port scanning.

Acunetix: An automated web application security testing tool that can be used to detect a wide variety of web application vulnerabilities, including SSRF vulnerabilities.

Nessus: A vulnerability scanner that can be used to scan networks and web applications for a wide variety of vulnerabilities, including SSRF vulnerabilities.

SSRF detection tools:

Web Application Firewall (WAF): A security device that monitors incoming and outgoing network traffic, and can be used to detect and prevent SSRF attacks.

Intrusion Detection System (IDS): A security system that monitors network traffic and alerts when it detects suspicious activity, including SSRF attacks.

Network Security Monitoring (NSM): A security strategy that monitors network traffic in real-time and can be used to detect SSRF attacks.

SAST (Static Application Security Testing) and DAST (Dynamic Application Security Testing) : These are the methodologies and tools used for finding security vulnerabilities in the applications, They can be used for finding SSRF vulnerabilities as well.

Additionally there are also browser plugins and tools for manual test that can be used to detect SSRF vulnerabilities.

XSS-Radar: a browser extension that allows you to test for and detect SSRF vulnerabilities by automatically sending a variety of different payloads to a target URL.

OWASP ZAP: OWASP ZAP is a popular browser extension that can be used to test for and detect a wide variety of web application vulnerabilities, including SSRF vulnerabilities.

Telnet: Telnet is a command-line tool that can be used to manually test for SSRF vulnerabilities by sending HTTP requests to a target URL.

cURL: cURL is a command-line tool that can be used to manually test for SSRF vulnerabilities by sending HTTP requests to a target URL.

Fiddler: Fiddler is a web debugging proxy tool that can be used to manually test for SSRF vulnerabilities by intercepting and modifying HTTP requests.

The Common Weakness Enumeration (CWE)

The main Common Weakness Enumeration (CWE) related to Server-Side Request Forgery (SSRF) vulnerabilities is CWE-918: Server-Side Request Forgery (SSRF). This CWE specifically refers to the use of untrusted input to construct a URL or initiate a request to an external server. This vulnerability allows an attacker to access sensitive internal resources, exfiltrate data, and perform other malicious actions on the affected system, by making requests to internal servers on behalf of the application.

There are other CWEs listed below may also be related to SSRF vulnerability:

CWE-917: Improper Control of Document Type Definition (DTD) Reference is a vulnerability that occurs when an application does not properly validate or sanitize user-supplied input that is used to construct URLs or initiate requests to external servers. An attacker could supply a malicious DTD that could cause the application to make requests to internal resources or perform other malicious actions.

CWE-919: Improper Control of Filename for Include/Require Condition in PHP Script is a vulnerability that occurs when an application does not properly validate or sanitize user-supplied input that is used to construct URLs or initiate requests to external servers. An attacker could supply a malicious filename that could cause the application to make requests to internal resources or perform other malicious actions.

CWE-921: Improper Restriction of Names of Files or Directories is a vulnerability that occurs when an application does not properly validate or sanitize user-supplied input that is used to construct URLs or initiate requests to external servers. An attacker could supply a malicious file or directory name that could cause the application to make requests to internal resources or perform other malicious actions.CWE-922: Improper Restriction of Names of Files or Directories in Web Page is a vulnerability that occurs when an application does not properly validate or sanitize user-supplied input that is used to construct URLs or initiate requests to external servers. An attacker could supply a malicious file or directory name that could cause the application to make requests to internal resources or perform other malicious actions.

CWE-923: Improper Restriction of Names of Files or Directories in Web Page Using Scripting Language is a vulnerability that occurs when an application does not properly validate or sanitize user-supplied input that is used to construct URLs or initiate requests to external servers. An attacker could supply a malicious file or directory name that could cause the application to make requests

Important to note that new CWEs are being identified all the time.

SSRF vulnerability exploits

There are several methods for exploiting Server-Side Request Forgery (SSRF) vulnerabilities, including:

  • Internal Port Scanning: An attacker can use an SSRF vulnerability to scan internal networks for open ports and potentially discover sensitive information or other vulnerabilities.

  • Out-of-band Data Exfiltration: An attacker can use an SSRF vulnerability to extract sensitive data from the target system by sending the data to a server under the attacker’s control.

  • File Reading: An attacker can use an SSRF vulnerability to read sensitive files on the target system, such as configuration files or sensitive data.

  • File Upload: An attacker can use an SSRF vulnerability to upload malicious files to the target system.

  • Command Injection: An attacker can use an SSRF vulnerability to execute arbitrary commands on the target system.

  • Accessing Sensitive Internal Resources: An attacker can use an SSRF vulnerability to access sensitive internal resources, such as databases or other internal servers.

  • HTTP Request Smuggling: An attacker can use an SSRF vulnerability to smuggle malicious HTTP requests through the target system, potentially bypassing security controls.

  • HTTP Request Hijacking: An attacker can use an SSRF vulnerability to hijack legitimate HTTP requests and redirect them to a server under the attacker’s control.

  • Bypassing Firewalls and Intrusion Detection Systems: An attacker can use an SSRF vulnerability to bypass firewalls and intrusion detection systems by making requests to internal resources.

  • DDoS Attack: An attacker can use an SSRF vulnerability to launch a Distributed Denial of Service (DDoS) attack by making requests to external resources.

Practicing in test for open redirect vulnerability

A few steps you can take to practice testing for SSRF vulnerabilities:

1. Understand the basics: Understand what SSRF is, how it works, and what types of attacks it can be used to perform.

2. Identify potential SSRF vulnerabilities: Look for areas of your web application that take user input and use it to construct URLs or initiate requests to external servers. Common examples include forms, search fields, and login pages.

3. Test for SSRF vulnerabilities: Use a variety of different methods to test for SSRF vulnerabilities, including manual testing, automated testing, and fuzzing. Be sure to test for all types of SSRF vulnerabilities, including internal port scanning, out-of-band data exfiltration, file reading, and command injection.

4. Validate and sanitize user input: Make sure that your web application properly validates and sanitizes user input to prevent SSRF vulnerabilities. Use whitelists to restrict the types of URLs that can be accessed, and implement security controls such as firewalls and intrusion detection systems to prevent SSRF vulnerabilities.

5. Practice exploiting SSRF vulnerabilities: Once you have identified an SSRF vulnerability, practice exploiting it to see what types of data or actions you can access or perform.

6. Learn from your mistakes: Document any SSRF vulnerabilities you find, and make note of what you did wrong and what you did right. Use this information to improve your testing process and prevent SSRF vulnerabilities in the future.

7. Stay up-to-date: Stay informed about the latest SSRF vulnerabilities and exploitation techniques, so you can test for and defend against them.

Books with review of open redirect vulnerability

Some of the popular books that cover Server-Side Request Forgery (SSRF) vulnerabilities, along with a short description of each:

1. “The Web Application Hacker’s Handbook: Discovering and Exploiting Security Flaws” by Dafydd Stuttard and Marcus Pinto – This book provides a comprehensive guide to finding and exploiting web application security flaws, including SSRF vulnerabilities. It covers the latest techniques for discovering and exploiting these vulnerabilities, and includes practical examples and case studies.

2. “Web Hacking: Attacks and Defense” by Stuart McClure, Joel Scambray and George Kurtz – This book provides a comprehensive guide to web hacking, including SSRF vulnerabilities. It covers the latest techniques for discovering and exploiting these vulnerabilities, and includes practical examples and case studies.

3. “Hacking: The Art of Exploitation” by Jon Erickson – This book provides a comprehensive guide to hacking, including SSRF vulnerabilities. It covers the latest techniques for discovering and exploiting these vulnerabilities, and includes practical examples and case studies.

4. “Black Hat Python: Python Programming for Hackers and Pentesters” by Justin Seitz – This book provides a guide to using Python for hacking, including SSRF vulnerabilities. It covers the latest techniques for discovering and exploiting these vulnerabilities, and includes practical examples and case studies.

5. “Web Application Hacker’s Handbook 2nd Edition” by Dafydd Stuttard – This book provides a comprehensive guide to finding and exploiting web application security flaws, including SSRF vulnerabilities. It covers the latest techniques for discovering and exploiting these vulnerabilities, and includes practical examples and case studies.

List of payloads suitable for SSRF vulnerabilities

1. Internal IP Address: Attempting to access internal IP addresses, such as “http://127.0.0.1” or “http://10.0.0.1“, can help identify SSRF vulnerabilities that allow access to internal resources.

2. Loopback Address: Attempting to access the loopback address, such as “http://localhost“, can help identify SSRF vulnerabilities that allow access to internal resources.

3. File Paths: Attempting to access file paths, such as “file:///etc/passwd”, can help identify SSRF vulnerabilities that allow access to sensitive files on the target system.

4. External IP Address: Attempting to access external IP addresses, such as “http://8.8.8.8” can help identify SSRF vulnerabilities that allow access to external resources.

5. DNS Lookup: Attempting to perform a DNS lookup, such as “http://example.com/lookup?host=google.com” can help identify SSRF vulnerabilities that allow access to external resources.

6. Localhost Address: Attempting to access the localhost address, such as “http://127.0.0.1:22” can help identify SSRF vulnerabilities that allow access to internal resources.

7. File URL: Attempting to access a file URL, such as “file:///etc/passwd” can help identify SSRF vulnerabilities that allow access to sensitive files on the target system.

8. Bypassing Firewalls: Attempting to access internal resources by bypassing firewalls, such as “http://internal-ip-address” can help identify SSRF vulnerabilities that allow access to internal resources.

9. Data URI: Attempting to access data URI, such as “data:text/html,<html>test</html>” can help identify SSRF vulnerabilities that allow access to internal resources.

10. Local File Inclusion: Attempting to access local files using LFI payloads, such as “http://127.0.0.1/../../../../../../etc/passwd” can help identify SSRF vulnerabilities that allow access to sensitive files on the target system.

How to be protected from SSRF vulnerabilities

1. Validate and sanitize user input: Make sure that your web application properly validates and sanitizes user input to prevent SSRF vulnerabilities. This includes using whitelists to restrict the types of URLs that can be accessed, and implementing input validation checks to ensure that user input conforms to a specific format.

2. Use a Content Security Policy (CSP): Use a Content Security Policy (CSP) to specify which sources of content are allowed to be loaded by your web application. This can help prevent SSRF attacks by blocking malicious requests from being loaded.

3. Implement access controls: Implement access controls to limit the types of requests that can be made to internal resources. This can include limiting the types of URLs that can be accessed, and implementing authentication and authorization checks to ensure that only authorized users can access internal resources.

4. Use firewalls and intrusion detection systems: Use firewalls and intrusion detection systems to prevent unauthorized access to internal resources. This can include implementing rules to block specific types of requests, and monitoring for suspicious activity.

5. Keep your software up-to-date: Keep your software up-to-date to ensure that you are protected against the latest SSRF vulnerabilities. This includes updating your web application framework and any other software that your web application relies on.

6. Train your developer and user: Regularly train your developers, and end-users on the SSRF vulnerabilities and the importance of keeping software and systems updated.

7. Monitor and Audit: Regularly monitor and audit your systems, network and applications for any suspicious activity.

Mitigations for SSRF vulnerability

There are several mitigations that can be used to protect against Server-Side Request Forgery (SSRF) vulnerabilities, including:

1. Input Validation: Input validation is the process of ensuring that user-supplied input conforms to a specific format. This can include using whitelists to restrict the types of URLs that can be accessed, and implementing input validation checks to ensure that user input conforms to a specific format.

2. Whitelisting: Whitelisting is the process of specifying which sources of content are allowed to be loaded by your web application. This can include specifying a list of approved IP addresses or domains, and blocking requests that do not match the approved list.

3. Access Control: Access control is the process of limiting the types of requests that can be made to internal resources. This can include implementing authentication and authorization checks to ensure that only authorized users can access internal resources.

4. Firewall: Firewalls can be used to prevent unauthorized access to internal resources. This can include implementing rules to block specific types of requests, and monitoring for suspicious activity.

5. Intrusion Detection System (IDS): Intrusion Detection Systems (IDS) can be used to detect and prevent unauthorized access to internal resources. This can include monitoring for suspicious activity and alerting administrators to potential SSRF attacks.

6. Content Security Policy (CSP): CSP is a security feature that can help prevent SSRF attacks by blocking malicious requests from being loaded.

7. Regularly updating software: Keep your software up-to-date to ensure that you are protected against the latest SSRF vulnerabilities. This includes updating your web application framework and any other software that your web application relies on.

Conclusion

Server-Side Request Forgery (SSRF) is a vulnerability that allows an attacker to manipulate a system to make requests to internal or external resources. To detect and prevent SSRF, it’s important to understand the basics of SSRF, identify potential vulnerabilities, test for vulnerabilities and use a combination of different security measures such as input validation, whitelisting, access control, firewalls, intrusion detection systems and regular software updates.

Other Services

Ready to secure?

Let's get in touch