Server-side request forgery (SSRF)

SSRF

Category: Server-side request forgery (SSRF)

Severity: High

Description

Server-side request forgery is a web security vulnerability that allows an attacker to cause the server-side application to make requests to an unintended location.

In a typical SSRF attack, the attacker might cause the server to make a connection to internal-only services within the organization's infrastructure. In other cases, they may be able to force the server to connect to arbitrary external systems. This could leak sensitive data, such as authorization credentials.

Impact

A successful SSRF attack can often result in unauthorized actions or access to data within the organization. This can be in the vulnerable application, or on other back-end systems that the application can communicate with. In some situations, the SSRF vulnerability might allow an attacker to perform arbitrary command execution.

An SSRF exploit that causes connections to external third-party systems might result in malicious onward attacks. These can appear to originate from the organization hosting the vulnerable application.

Remediation

• Sanitize and validate all client-supplied input data

• Enforce the URL schema, port, and destination with a positive allow list

• Do not send raw responses to clients

• Disable HTTP redirections

• Be aware of the URL consistency to avoid attacks such as DNS rebinding and “time of check, time of use” (TOCTOU) race conditions

Do not mitigate SSRF via the use of a deny list or regular expression. Attackers have payload lists, tools, and skills to bypass deny lists.

Reference

https://owasp.org/www-community/attacks/Server_Side_Request_Forgery

https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/