JANUARY 1, 2024

SERVER-SIDE REQUEST FORGERY(SSRF)

SAKTHI AYYAPPAN
 SERVER-SIDE REQUEST FORGERY

• Server-Side Request Forgery (SSRF) is a web application security

vulnerability that allows an attacker to trick the server into making

unauthorized HTTP requests to external or internal resources.

• It’s all about an attacker crafting a request that the server obediently

sends as its own, bypassing its access controls and potentially

exposing sensitive data, executing malicious commands, or

disrupting internal systems

• In other cases, they may be able to force the server to connect to

arbitrary external systems.

• This could leak sensitive data, such as authorization credentials.

COMMON TYPES OF SSRF ATTACKS :

• REFLECTED SSRF

• BLIND SSRF

• DNS REBINDING

• PROTOCOL BASED ATTACK

• FILE UPLOAD SSRF

• SOCKET CONNECTION SSRF

• SERVER -SIDE CACHE POISIONING

• TIME BASED ATTACK

• SSRF VIA SERVER MISCONFIGURATIONS

REFLECTED SSRF :

• Reflected SSRF occurs when an attacker can inject malicious input

into a web application, and the application then reflects that input

back to the user, causing the user's browser to make a request to

a controlled or manipulated URL

• In reflected SSRF, the payload is immediately reflected back to the

user in the response

HOW REFLECTED SSRF WORKS ?

• The web application takes user input, typically through

parameters in the URL or form fields.

• Now,An attacker injects a crafted payload into the user input

fields. This payload often includes a manipulated URL

pointing to an internal resource.

• Then server processes the user input, incorporating the

malicious payload into its request processing logic.

• The server generates a response to the user's input, and

this response includes the manipulated payload.

• The response is sent back to the user's browser.

• The user's browser, upon receiving the response from the

server, automatically interprets the manipulated payload as

a URL and makes a request to that URL.

• The request generated by the user's browser is sent to the

manipulated or controlled URL.

• If the URL points to an internal resource, the server might

inadvertently make a request to that internal resource on

behalf of the user's browser.

BLIND SSRF :

• Blind SSRF (Server-Side Request Forgery) refers to a

scenario where an attacker can exploit an SSRF

vulnerability.

• The attacker cannot directly observe the response from the

internal resource.

• This may happen when the application does not disclose

the response data or when the attacker cannot directly

interact with the response due to various constraints.

WORKING OF BLIND SSRF :

• The attacker injects a payload into a user-input field or other

vulnerable parts of the web application.

• This payload typically contains a manipulated URL pointing to an

internal resource.
 • The web application processes the injected payload and makes a

request to the specified URL, which could be an internal server or

resource.

• In contrast to standard SSRF attacks, the server does not directly

display the response from the internal resource to the attacker. This

could be due to various reasons, such as the response being not

disclosed in the application's output or the attacker being unable to

interact directly with the response.

Despite not seeing the response directly, the attacker employs techniques

to confirm the success of the SSRF attack indirectly like the Time Delays

• Based on the indirect confirmation, the attacker can exploit the

SSRF vulnerability to gather information about the internal network,

perform port scanning, or possibly interact with internal resources

without receiving direct feedback

DNS Rebinding:

• In DNS rebinding attacks, the attacker provides a malicious DNS

response that changes over time.

• This allows the attacker to redirect requests to different IP

addresses, potentially reaching internal resources.

• It is an effective way for attackers to bypass the same-origin policy,

as the malicious code appears to be originating from the same

domain as the victim's legitimate requests.

• This technique allows attackers to interact with internal services and

devices that are not supposed to be directly accessible from the

internet.

Protocol-Based Attacks:

• SSRF can exploit different protocols, such as HTTP, FTP, and

others.

• The attacker may manipulate the server to make requests to

internal services or retrieve sensitive information using these

protocols.
 • In a protocol-based Server-Side Request Forgery (SSRF) attack,

the attacker manipulates the server into making unintended

requests to internal resources by exploiting different network

protocols.

• Instead of solely relying on HTTP requests, the attacker leverages

other protocols to interact with internal systems.

File Upload SSRF:

• If a server allows file uploads and processes them, an attacker might

upload a file that triggers SSRF when processed by the server.

For example, an image with embedded URL or XML External Entity (XXE)

attack.

• File upload-based SSRF attacks involve exploiting vulnerabilities in

web applications that allow users to upload files, such as images

or documents, to the server.

• Attackers can manipulate the file content or metadata in a way

that triggers a Server-Side Request Forgery (SSRF) vulnerability.

Basically it takes advantage of the file upload functionality

Socket Connection SSRF:

• Some applications allow making socket-level connections. An

attacker could use SSRF to connect to internal services over various

protocols like SMTP, SNMP, or others.

• Socket-based Server-Side Request Forgery (SSRF) attacks involve

exploiting applications that allow the server to initiate socket-level

connections to arbitrary destinations.

• In these attacks, an attacker tricks the vulnerable server into

establishing a connection to an unintended target, often within an

internal network.

EXAMPLE : VULNERABLE SERVER WITH SOCKET

FUNCTIONALITY

Server-Side Cache Poisoning:

• If the server relies on caching mechanisms and performs SSRF, an

attacker may manipulate the cache content to store malicious data

or retrieve sensitive information.

Server-Side Cache-Based SSRF attacks involve manipulating server-side

caching mechanisms to exploit SSRF vulnerabilities.

 • The goal is to abuse the caching system to store malicious data or

to retrieve sensitive information from internal resources.

Time-Based Attacks:

• In time-based SSRF attacks, the attacker can use the server's

response time to determine whether a request was successful or

not.

• This information can be useful for discovering internal resources.

• These attacks involve exploiting timing differences in the server's

responses to determine whether a particular action was successful

or not.

• The attacker uses delays or timeouts in the server's response to

gather information about the internal network.

SSRF via Server Misconfigurations:

• Misconfigurations, such as allowing the server to access the internal

network without proper restrictions, can be exploited by SSRF

attacks.

• Ssrf attacks often exploit misconfigurations in the server's settings

or access controls. These misconfigurations enable attackers to
 make requests to internal resources or perform actions on behalf of
the server.
EXAMPLE :LACK OF INPUT VALIDATION

IMPACTS OF SSRF :

• One of the primary risks of SSRF is unauthorized access to internal

resources.

• Attackers can manipulate the vulnerable application to make

requests to internal servers, databases, or services that are not

intended to be directly accessible from the internet.

SOME SERIOUS IMPACTS INCLUDES:

1. Data Leakage:

2. Remote Code Execution (RCE):

3. Attacking Internal Services:

4. Port Scanning and Network Mapping:

5. Distributed Denial of Service (DDoS):

6. Bypassing Security Controls:

7. Abuse of Cloud Metadata Services:

8. Security Token Abuse:

MITIGATIONS ?

Here are some mitigations techniques for Server-Side Request Forgery

(SSRF) vulnerabilities:

1. Input Validation and Sanitization:

• Rigorously validate and sanitize all user-supplied data, especially

URLs.

• Implement a positive allow list, restricting allowed URLs to

known, trusted domains.

• Reject any URLs containing local addresses (e.g., 127.0.0.1,

localhost), private IP ranges, or potentially risky protocols (e.g.,

file://, gopher://).

• Apply strict URL parsing and validation libraries to ensure correct

format and prevent encoding tricks.

2. Enforce URL Schema, Port, and Destination:

• Restrict outgoing connections to specific protocols (e.g., HTTP,

HTTPS) and ports.

 • Implement a firewall or network segmentation to control outbound

traffic and block unauthorized destinations.

3. Disable HTTP Redirections:

• Prevent attackers from manipulating URLs through redirects.

• Set the followRedirects property to false in HTTP libraries or

implement custom redirect handling.

4. Use Secure URL Parsers:

• Employ libraries designed to handle URL parsing safely and prevent

common SSRF attacks.

• Avoid using vulnerable functions like file_get_contents() in PHP

or urllib.urlopen() in Python for URL retrieval.

5. Implement Access Controls:

• Enforce access controls based on user roles and permissions.

• Restrict access to sensitive functions or resources that could be

exploited for SSRF.

6. Disable or Protect Sensitive Services:

• Avoid deploying security-related services (e.g., OpenID) on front-

facing systems.

• Control local traffic on these systems to prevent unauthorized

access.

7. Use Network-Level Protection:

• Implement firewalls or web application firewalls (WAFs) to filter and

block malicious traffic.

• Consider network segmentation to isolate sensitive systems and

services.

8. Migrate to IMDSv2 in AWS:

• For cloud environments, use IMDSv2, which is more secure against

SSRF attacks targeting metadata services.

• Disable IMDSv1 to prevent its exploitation.

9. Regularly Scan for Vulnerabilities:

 • Conduct regular vulnerability scans to identify and patch SSRF flaws

promptly.

• Utilize web application security scanners and penetration testing

tools.

10. Stay Updated on Security Best Practices:

• Remain informed about the latest SSRF attack techniques and

mitigation strategies.

• Follow security best practices for web application development and

deployment
REFERENCES :

https://portswigger.net/web-
security/ssrf#:~:text=Server%2Dside%20request%20forgery%20is,services%20within%
20the%20organization's%20infrastructure.

https://www.feroot.com/education-center/what-is-server-side-request-forgery-ssrf/