Server-Side Request Forgery (SSRF)

High

Description

A Server-Side Request Forgery (SSRF) attack involves an attacker abusing server functionality to access or modify resources. The attacker targets an application that supports data imports from URLs or allows them to read data from URLs or send requests externally. URLs can be manipulated, either by replacing them with new ones or by tampering with URL path traversal. Typically, attackers supply a URL (or modify an existing one) and the code running on the server reads or submits data to it or even generate empty request to it. Attackers can manipulate URLs to gain access to internal data and services that were not meant to be exposed – including HTTP-enabled databases and server configuration data.

Attack Scenario

This vulnerability occurs when the web application is loading resources from the external server. like, https://securitymeter-vuln.com/load.php?url=http://secuirtymeter-readteam.com/somethingHere, the parameter URL is vulnerable to SSRF. If attacker changes it to localhost, he might be able to gather information about localhost exposed services or endpoints or even ports by performing XSPA (Cross-Site Port Attack) or even may lead to Privilege Escalation, some times an attacker will not be able to add localhost (127.0.0.1) In the URL parameter likely due to validation then an attacker will use the vulnerable server as an attack proxy to attack other servers.

Mitigation

Use whitelisting instead of blacklisting services/protocols/IP's

if web application is solely reliant on HTTPS or HTTP to initiate requests, permit only these URL schemas, By disabling unused URL schemas, you deny attackers the ability to utilize the application to carry out requests via potentially harmful schemas, including dict://, file:///, and gopher://.

Enable Authentication on Internal Services

ID: 30001

HQ Address

Asia-Pacific Office Address

US Office

2024 © Security Meter. All rights reserverd.