[Application security] How to conduct server-side request forgery (SSRF)

What we will do in this article

1: set up an initial environment using Docker

2: conduct server-side request forgery (SSRF)

What is server-side request forgery (SSRF)?

A10 Server Side Request Forgery (SSRF) - OWASP Top 10:2021

SSRF flaws occur whenever a web application is fetching a remote resource without validating the user-supplied URL. It allows an attacker to coerce the application to send a crafted request to an unexpected destination, even when protected by a firewall, VPN, or another type of network access control list (ACL).

As modern web applications provide end-users with convenient features, fetching a URL becomes a common scenario. As a result, the incidence of SSRF is increasing. Also, the severity of SSRF is becoming higher due to cloud services and the complexity of architectures.

https://portswigger.net/web-security/ssrf

How to Prevent

From Network layer

• Segment remote resource access functionality in separate networks to reduce the impact of SSRF
• Enforce “deny by default” firewall policies or network access control rules to block all but essential intranet traffic.

From Application layer

• Sanitize and validate all client-supplied input data
• Enforce the URL schema, port, and destination with a positive allow list
• Do not send raw responses to clients
• Disable HTTP redirections
• Be aware of the URL consistency to avoid attacks such as DNS rebinding and “time of check, time of use” (TOCTOU) race conditions

Example Attack Scenarios

Scenario #1: Port scan internal servers — If the network architecture is unsegmented, attackers can map out internal networks and determine if ports are open or closed on internal servers from…