SSRF Exploitation and Prevention Majors

December 5, 2020
Browse All Blogs
In this article, we will go through the web security vulnerability known as Server Side Request Forgery. The topics covered are as follows:
Introduction to SSRF
Impact of SSRF
How SSRF works
Types of SSRF
Performing SSRF using Charles proxy
SSRF Prevention Methods
Conclusion

Introduction to SSRF

SSRF stands for Server-Side Request Forgery. This vulnerability is also known as Cross-Site Port Attack. It is a Web Security Vulnerability that allows the attacker to send the malicious HTTP request to the server & gain access to internal resources that are protected by WAF (Web Application Firewall).
In short, we can say that in this vulnerability attacker uses HTTP requests to attack the arbitrary domain of his choice.
Source : Acunetix

Impact of SSRF

A successful SSRF attack can often result in unauthorized action or access within the system through a third-party application, either in the application itself or on the back-end application through which the application communicates.

With a successful SSRF attack, you can perform various other things including port scan, internal scan, read resources that are not accessible to them, abusing the vulnerable server, retrieve sensitive information, and many more.

How SSRF Works

Source: DZone
An attacker sends the requests of the vulnerable server.
The vulnerable server requests the victim server which is protected with a Firewall
The victim server responds to the vulnerable server
An attacker sends the requests of the vulnerable server.

Types of SSRF

There are two types of SSRF vulnerabilities 

1. Basic SSRF: The one which displays the result to the attacker
2. Blind SSRF: The one which does not show a response.
Let’s take a look at the common SSRF attacks

SSRF Attack Against Itself

In this type of attack, the attacker tempts the server of making an HTTP request to the server that’s hosting the application. This request will generally include the loopback address i.e 127.0.0.1 or localhost
For e.g: A shopping site allows users to check the stock of products in 3 different cities targeting the particular store. To show the stock remaining the application must query the server that contains all the information. This requires to send the URL to the server at the end-point using an HTTP request. So when the stock has viewed the request made by the browser is:
POST/product/stockHTTP/1.0
Content-Type:application/x-www-form-urlencoded
Content-Length:118

stockApi=http://stock.weliketoshop.net:8080/product/stock/check%3FproductId%3D6%26storeId%3D1
Here, the browser will request a specific URL, get stock status, and return the information. During this whole process, the attacker can fetch the URL and modify it to query the server itself.
For example:
POST/product/stockHTTP/1.0
Content-Type:application/x-www-form-urlencoded
Content-Length:118

stockApi=http://localhost/admin
Here the attacker will be able to gain the resources of admin. Due to this, the attacker will have full access to all the administrative resources. Due to this SSRF is a critical vulnerability.

SSRF Attack Against Other Back-end Systems.

Another type of attack is when the server can interact with other back-end-devices that are not generally accessible to the end-user. These systems have a non-routable private IP address. Generally, these types of devices are protected with network topology so they have weaker security. Sometimes these types of devices are accessible directly if you can access the backend devices without authentication.

Performing SSRF Using Charles Proxy

In this video, we have explained how you can exploit SSRF vulnerability using Charles proxy.

So the question arises that what is Charles's proxy?

Charles proxy is a web proxy (HTTP Proxy / HTTP Monitor) that works on your personal computer. You can configure your browser to use the internet through Charles. It can display the results of data and received between browser and client.

SSRF Prevention Methods

The following are the methods that can help to take preventive measures against SSRF. 

Whitelisting the IP & DNS

The most efficient way to prevent SSRF is whitelisting the Ip address or DNS name that your system needs to access. But if whitelisting is not possible for you you can always go for blacklisting but the attacker can always bypass the blacklisting. It is important to validate user input.

Sanitize the User Input

Don’t accept the request blindly from the trusted user too. Every request should be validated and then accepted from user input to avoid SSRF

Response Management

To prevent data leakage to the attacker customized error page should be generated. The raw response body of the server request must not be submitted to the client under any circumstances.

Disable the Use Of Unused URL

If your application is using HTTP or HTTPS then every other protocol should be blacklisted. In other words, you can whitelist these two protocols and blacklist every other protocol so that other schemas such as file:///, direct://, FTP://, touch://, and more cant be used.

Authenticate Internal Resources

There is some application such as MongoDB that doesn’t require authentication. This type of application can be accessed by an attacker to launch an SSRF attack. Therefore, it is best to authenticate internal resources whenever possible.

Install Firewalls

Installing a firewall doesn’t make your data secure it just creates another barrier between the attacker and your data. But it is recommended to install a good firewall with strong policies.

Conclusion

Not all SSRF needs to use the HTTP protocol. The attacker can use any other protocol or they can even redirect the protocol. Luckily the SSRF vulnerability is not very common but it can cause a serious security breach. SSRF is beginning to be a problem for those also who have the infrastructure in the cloud. It’s best to take precautions before you are a victim of SSRF or any other Web Security vulnerabilities. Join our AWAPT course for more knowledge of various ways to exploit the vulnerabilities and prevention techniques.

Users also read:

December 5, 2020
SSRF Exploitation and Prevention Majors

we will go through the web security vulnerability known as Server Side Request Forgery. It allows the attacker to send the malicious HTTP request to the server.

November 4, 2020
Antivirus: Do You Need It? This Will Help You Decide!

As I was working on my laptop the other day the popup appeared saying your Antivirus is expired do you want to renew it?. Till you renew Windows Defender will protect your system. So it got me thinking that is antivirus necessary? As the name suggests, antivirus software is a virus-resistant application. It identifies or recognizes the virus and works to eliminate it from the computer system after the identification of the virus.

October 28, 2020
Alert! New Chrome 0-Day Hijacking Targeted Computers

Google has set out an update to Chrome web browser version 86.0.4240.111 that addresses five security bugs, including vulnerabilities that are proven to be actively exploited by attackers.

Leave a Reply

Your email address will not be published. Required fields are marked *

linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram