Can You Request From A Web Service

Introduction to server-side request forgery (SSRF)

Web applications tin trigger requests betwixt HTTP servers. These are typically used to fetch remote resource, such as software updates, or to import metadata from a URL or another web application. Such inter-server requests are not dangerous in general, only unless implemented correctly, they can make a server vulnerable to server-side request forgery, or SSRF.

An SSRF vulnerability is introduced when user-controllable data is used to build the target URL. To perform an SSRF assail, an attacker can so alter a parameter value in the vulnerable spider web application to create or control requests from the vulnerable server.

External resources accessed by a spider web awarding may include internal services, for instance an RSS feed from some other website. A developer might use the following URL to retrieve a remote feed:

          https://example.com/feed.php?url=externalsite.com/feed/to        

If the attacker is able to alter the url parameter to localhost (the loopback interface), this may permit them to view local resource hosted on the server, making it vulnerable to server-side request forgery.

If attackers can control the destination of server-side requests, this opens upwards a whole assortment of offensive activities, potentially assuasive them to:

• Corruption the trust relationship between the vulnerable server and other systems
• Bypass IP whitelisting
• Featherbed host-based authentication services
• Read web resources and other useful assets that are not accessible to the public, for instance metadata APIs in AWS environments or trace.axd in ASP.NET
• Perform port scans on the internal network that the server is connected to
• Read files from the web server
• View status pages and interact with APIs as the web server
• Call up sensitive data such as the IP address of a web server running behind a contrary proxy

SSRF in the OWASP Meridian x

Server-side request forgery is a well-known vulnerability and a regular item on the Open Web Application Security Projection's list of peak ten web application security risks. In the OWASP Top 10 for 2021, it has even (for the starting time time) received its ain category every bit A10:2021 – Server-Side Asking Forgery (SSRF). It was included equally a separate category based on the results of a customs survey.

As mod web applications go more than circuitous and interconnected, fetching a URI has become a fundamental functioning for delivering content and functionality. With the ascension in server-side requests, SSRF vulnerabilities have as well get more common. At the same time, their scope and bear upon are expanding due to the growing prevalence of cloud services and intricate cloud-based awarding architectures, which can allow attackers to access web infrastructures and cloud data sources via a compromised server.

Typical exploitation of a server-side request forgery vulnerability

In a typical SSRF scenario, an external assailant who wants to admission an internal server can't apply direct requests considering they would be blocked past the firewall. Instead, malicious actors tin can exploit an SSRF vulnerability to brand their assault via a vulnerable web server:

1. The assaulter sends a forged request to a web server that is vulnerable to SSRF and resides on the same internal network every bit the target server.
2. The vulnerable web server sends the attacker-controlled request to the victim'southward server, bypassing the firewall.
3. The victim'south server responds to the spider web server with the requested data.
4. If the specific SSRF vulnerability permits it, the data is sent dorsum to the attacker. In near cases, the aggressor will need to exfiltrate or infer this data past other means (out-of-band).

Why is server-side request forgery unsafe?

While many spider web vulnerabilities directly affect the target system, SSRF allows attackers to use the target as an intermediary that passes requests to a 3rd arrangement. So while an SSRF attack might not be dissentious in itself, it tin provide malicious hackers with access to internal systems that were never supposed to exist accessible from the Internet. There are several reasons why this is dangerous.

SSRF abuses the trust human relationship between internal systems

Equally a security best exercise, y'all should always keep your attack surface as small as possible on all levels. In internal networks, this commonly means that access to sure ports or actions is restricted to specific whitelisted machines just. To maintain security while still beingness able to substitution data and perform administrative tasks, servers often have a trust relationship with select other machines.

At a network level, this trust can mean that a firewall just allows access to sure ports if the requesting machine is on the same local network or if its IP address is explicitly trusted. At a software level, you lot can take implicit trust in local machines so that authentication is not required for some administrative tasks as long as the IP is 127.0.0.1 or mayhap inside the internal network. This adds some caste of concrete security because even if an attacker obtains valid credentials, they tin can't log in without access to the local network.

Past exploiting an SSRF vulnerability, an attacker tin can circumvent such restrictions to interact with other servers that trust the afflicted machine. This could mean sending data queries or crafting malicious requests to interact with ports that aren't accessible from the exterior network. By forging server-side requests, an external attacker tin perform malicious actions on the target server that would otherwise not be possible from the exterior.

SSRF allows attackers to browse local or external networks

By exploiting a server-side request forgery vulnerability, attackers may exist able to scan local or external networks that the vulnerable server is connected to. While it is usually not possible to extract data directly, attackers tin can use the page load time, error letters, or banners of the service they are probing to indirectly determine whether the targeted service is responding or a tested port is open.

Example: How to scan a network via an SSRF vulnerability

Imagine you have a website with a service that allows you to fetch JPEG images from a remote source so it tin determine their dimensions. As a security control, the service checks if the response received from the remote source has a Content-Type HTTP header with the value image/jpeg. If the header is missing or specifies a dissimilar content blazon, the service assumes that a dissimilar paradigm format was provided and returns the error bulletin Please provide JPEG images only. If there is a problem connecting to the remote source, the service returns No paradigm found!

Permit's run across how attackers can use different inputs that affect the service response to determine if a host is up or not:

• If we request https://victim.com/image.php?url=https://example.com/motion-picture show.jpg, we go the pinnacle and width of the image, meaning that this is a valid picture with a correct Content-Type header.
• Let's try a dissimilar HTTP request and feed the server an HTML file rather than an prototype by sending https://victim.com/prototype.php?url=https://instance.com/index.html. At present the service response is Please provide JPEG images only, since the supplied page has the incorrect Content-Type header (text/html instead of image/jpeg).
• Now allow's see what happens for an invalid URL such as https://victim.com/image.php?url=https://case.invalid/. The service returns Image not found, meaning at that place was an fault fetching the remote resource.

Now that nosotros know how the application behaves for different inputs, we tin can try to abuse it. We know that a valid URL with a missing or incorrect Content-Type header returns the error Please provide jpeg images merely. Let'southward send the following request with an internal URL:

          https://victim.com/image.php?url=127.0.0.ane:3306        

If we get the fault Image not found, that means there is no response from host 127.0.0.1 on port 3306. However, if nosotros become Please provide jpeg images only, it means that the internal server did respond, so there is a service running on that port. That style, we can utilise the vulnerable spider web application to probe dissimilar internal IP addresses and ports to make a consummate scan. In effect, such an SSRF vulnerability allows attackers to perform port scanning without using an actual port scanner.

SSRF can expose files and internal resources on the server

When the content of a remote resource is straight rendered to a folio, there is a possibility that attackers could read file content. As an example, consider a web service that removes all images from a supplied URL and then nicely formats the text. To exercise this, information technology takes the response torso for a given URL and then applies text formatting.

If the service is vulnerable to SSRF and allows us to supply a file:// URL instead of the usual http:// or https://, nosotros can use information technology to read files from the local file system. For example, if nosotros use the URL file:///etc/passwd on a UNIX-based system, we could display the content of the passwd file. The same technique tin be used to view the source lawmaking of the vulnerable web application.

What are the potential impacts of SSRF attacks?

As seen in the to a higher place examples, the direct impact of exploiting a server-side asking forgery vulnerability is nearly e'er data disclosure because attackers obtain a lot of useful information well-nigh systems and resources that should be inaccessible to them. However, the indirect consequences tin can be devastating, since SSRF tin can let malicious actors to:

• Use the vulnerable server as a port and IP scanner for internal and external systems
• Collaborate with protocols such as Gopher (if enabled) to perform additional reconnaissance
• Discover the IP addresses of servers running backside a opposite proxy
• Obtain remote lawmaking execution

Considering SSRF is primarily an admission channel for further probes and attacks, there are also many other possibilities, depending on how the vulnerable spider web awarding uses responses received from the remote resource. Combined with other vulnerabilities in suitable weather condition, SSRF tin take severe consequences.

Preventing server-side request forgery

To prevent SSRF vulnerabilities in your web applications, you are strongly advised to utilise a whitelist of allowed domains and protocols for remote resource fetched by the spider web server. More mostly, you should also avert using user input direct in whatever functions that can make requests on behalf of the server. While it is always a skillful idea to sanitize and filter user input, you should non rely on this as your sole protection considering it is virtually impossible to encompass all the different scenarios.

Attackers can employ a broad variety of tricks to featherbed URL filtering:

• Apply encoded IP addresses which volition be translated to an IP in an internal network:
• 1 -> same as localhost
• 123.123.123 -> same every bit localhost
• Supply hostnames that resolve to internal IP addresses
• Featherbed host blacklisting by applying dots at the end of the hostname

This is only a small portion of bypasses that attackers take in their armory, so recommended practise is to avert user input in functions that upshot requests on behalf of the server.

Identifying SSRF vulnerabilities in your spider web applications

Modernistic dynamic application security testing (DAST) solutions such as Invicti provide accurate vulnerability scanning for a wide variety of spider web vulnerabilities, including many server-side request forgery vulnerabilities. For out-of-band SSRF and other second-order vulnerabilities, Invicti uses a defended vulnerability testing infrastructure that allows it to place and report security flaws that don't return direct responses.

Vulnerability nomenclature and severity table

Classification	ID / Severity
PCI v3.ii	6.5.6
OWASP 2013	A5
OWASP 2017	A6
OWASP 2021	A10 (standalone category)
CWE	918
CAPEC	347
WASC	15
HIPAA	164.306(a), 164.308(a)
ISO27001	A.14.2.v
CVSS:three.0	CVSS:3.0: AV:North/Air-conditioning:H/PR:North/UI:N/South:C/C:Northward/I:N/A:Due north
Invicti	Disquisitional

Well-nigh the Author

Zbigniew Banach

Technical Content Writer at Invicti. Drawing on his feel as an It announcer and technical translator, he does his best to bring web security to a wider audience on the Invicti web log and website.

Stay upwardly to date on web security trends

Your Information will be kept private.

Source: https://www.invicti.com/blog/web-security/server-side-request-forgery-vulnerability-ssrf/

Posted by: parksmusere1980.blogspot.com

Share this post