[Application security] How to conduct server-side request forgery (SSRF)
--
What we will do in this article
1: set up an initial environment using Docker
2: conduct server-side request forgery (SSRF)
What is server-side request forgery (SSRF)?
SSRF flaws occur whenever a web application is fetching a remote resource without validating the user-supplied URL. It allows an attacker to coerce the application to send a crafted request to an unexpected destination, even when protected by a firewall, VPN, or another type of network access control list (ACL).
As modern web applications provide end-users with convenient features, fetching a URL becomes a common scenario. As a result, the incidence of SSRF is increasing. Also, the severity of SSRF is becoming higher due to cloud services and the complexity of architectures.
How to Prevent
From Network layer
- Segment remote resource access functionality in separate networks to reduce the impact of SSRF
- Enforce “deny by default” firewall policies or network access control rules to block all but essential intranet traffic.
From Application layer
- Sanitize and validate all client-supplied input data
- Enforce the URL schema, port, and destination with a positive allow list
- Do not send raw responses to clients
- Disable HTTP redirections
- Be aware of the URL consistency to avoid attacks such as DNS rebinding and “time of check, time of use” (TOCTOU) race conditions
Example Attack Scenarios
Scenario #1: Port scan internal servers — If the network architecture is unsegmented, attackers can map out internal networks and determine if ports are open or closed on internal servers from…