Server-Side Request Forgery

high Web App Scanning Plugin ID 112439

Language:

Synopsis

Description

Web applications often rely on network requests to query external resources and retrieve data in order to process it.

A Server-Side Request Forgery (SSRF) vulnerability exists when an attacker is able to control these outbound requests and send it to a resource he owns, to the localhost itself, or to a private host in the target application internal network.

By injecting a specific request and using various protocols (like HTTPS or Gopher for example), the attacker can leverage this vulnerability to try gaining access to sensitive data, performing unauthorized modifications or getting remote code execution in the target environment.

Depending on the web application configuration, the vulnerability may be of three types:

- Blind : the application executes the malicious request but does not return any response to the attacker. The exploitation is difficult as the attacker has to only rely on his own knowledge of the target to conduct his attack.

- Half-blind : the malicious request is executed and the response is partially returned to the the attacker. For example, the application may return different error messages related to the status of the outbound request. The exploitation remains difficult, however the attacker can gather information to help conducting his attack further.

- Non-blind : The application returns the full content of the response to the malicious request. The exploitation is easier and generally makes the impact of this vulnerability more critical.

The scanner has been able to detect a Server-Side Request Forgery vulnerability by injecting a crafted request in the target application which performed an external request and returned a partial or full response.

Solution

The mitigation mainly depends on the application purpose and design but it is generally recommended to apply the defense in depth principle and enforce controls at both application and network layers.
In the application, inputs are processed by a parser which can be abused in various cases. It is recommended to avoid allowing the user to send full URLs to the application and to validate hostnames or IP addresses against a whitelist, if applicable, prior performing the request. Otherwise, using a blacklist is a solution to prevent requests to the localhost and all the assets of the internal infrastructure. As applications sometimes use a library such as libcurl for performing the requests, ensure that the component is up-to-date to avoid exploitation of a security vulnerability in the parser itself.
At the network layer, an approach is to implement network segregation to control and limit traffic between the hosts of the infrastructure and use security services like firewalls or web proxies to enforce the network restrictions.