Server-side request forgery (SSRF)

Description

Server-side request forgery (SSRF) is a vulnerability in which attackers can send requests from webserver to another server or to internal resources, which may not be accessible from outside(beyond firewall).

This vulnerability occurs when the web application is loading resources from the external server. like, https://site.com/load.php?url=externalsite.com/something Here, the parameter URL is vulnerable to SSRF. If attacker changes it to localhost, he might be able to access the internal server.

Using SSRF, the attacker may able to access Only Internal Server or both Internal Server and External websites.

There can be some situation where attacker can not see the response of crafted request, but the request will be sent successfully, Such vulnerability is called as Blind SSRF

Impact

  • Bypassing IP Whitelisting

    • If yoursite.com's IP is whitelisted for accessing some private resource, attacker can use SSRF and access that resource from your IP!
  • Access your Internal Network (Bypassing a firewall)

  • May lead to remote code execution

  • May user your server to do some malicious activities like DoS attack to some other server.

    • As the attacker is sending requests from your organization, DoS affected organization will think that DoS is happening from your organization.
  • It can be further used for Reflected Cross-Site Scripting (XSS).

Prevention

  • Use whitelisting instead of blacklisting services/protocols/IP's
  • Validate Responses
    • If you are using such an external request, then check the response as expected, and only show it to the user if it is expected.
  • Enable Authentication on Internal Services
    • Incase, attacker got access to your internal server, Services like Database should be protected. (By default many services are not password protected inside the internal network)

Tools