SERVER-SIDE REQUEST FORGERY (SSRF)

Server-Side Request Forgery (SSRF) is a type of vulnerability that allows an attacker to manipulate a server to make requests to an internal or external resource on behalf of the server itself. Essentially, this occurs when the server fetches a remote resource or data without properly validating the user-supplied URL.




ATTACK

In simpler terms, SSRF allows attackers to send fake URLs to a server and the server, without checking, sends a request to the fake location. This could lead to accessing sensitive information or internal systems that should not be publicly available.

IMPACT

When a server doesn't validate the URL or the resource that the user is requesting, it becomes easy for attackers to send malicious URLs. Many web applications fetch data from other servers, APIs, or services (like fetching remote images or files). If the application doesn't properly control or validate these requests, attackers can exploit this.

Access to Internal Resources:

If the server isn't restricted from accessing certain internal resources (such as databases or internal APIs), attackers can target these systems to steal or manipulate data.

Bypassing Firewalls:

Firewalls and security settings may be bypassed because the server itself is making the request, not the attacker directly. This could allow unauthorized access to protected systems.

Overloading Servers:

Attackers can cause a denial-of-service (DoS) by overwhelming internal systems or services with excessive requests.
Navigating the Web Application Security Landscape

SOLUTION

Below are some ways to protect against SSRF attacks:

1. Validate User Input:

Always check and clean any URL provided by users. Make sure URLs are in the correct format (e.g., http:// or https://), and ensure they don’t point to internal services like localhost or private IPs. Only allow URLs from trusted sources. Block any unknown or suspicious URLs.

2. Block Internal Access:

Use security settings or firewalls to block servers from accessing internal systems, like private APIs or services, that should not be reachable by external requests. If the server needs access to internal resources, consider using a proxy or a controlled gateway that adds extra security layers.

3. Limit Where Requests Can Go:

Restrict the types of URLs the server can access. For example, allow only specific domains or services and block all others. Disallow URLs that can lead to local services (e.g., 127.0.0.1 or localhost) and private IP ranges.

4. Use a Proxy Server:

Route all requests through a controlled proxy server that can monitor and restrict what the server can access. This adds an extra layer of protection.

5. Network Segmentation:

Keep your internal systems separate from the servers accessible by the public. This reduces the risk of attackers gaining access to sensitive systems.

6. Set Request Limits:

Set time limits for requests and prevent too many requests in a short time. This can help protect against DoS attacks.

7. Use Security Headers:

Apply security headers like Strict-Transport-Security (HSTS), X-Content-Type-Options, and others to strengthen overall security and reduce some SSRF risks.

Author Avatar

Radhika Lad

Cyber Security Analyst

Location: Pune, India

Radhika is a web and network Pentester and ethusiast in cyber security domain. Her primary focus is on Vulnerability Assessment and Penetration testing of corporate networks, firewalls, web and cloud apps, mobile apps. Coming from finance and education background, she has a passion to get into the world of IoT and OT Cyber security. She is always on the path of learning and trying new things in the domain she likes.