DEV Community

Sedat SALMAN for AWS Community Builders

Posted on

AWS Security Stories #04.2: OWASP - SSRF

Server-Side Request Forgery (SSRF) is a web application vulnerability that allows an attacker to manipulate the target server to send an HTTP request to a specific URI, URL or IP address. The vulnerability lies in the server-side code, which can be exploited by an attacker to craft a malicious request that is executed by the vulnerable server. This can enable the attacker to access internal resources, such as internal web services, file systems, and databases, as well as external resources, such as public web services and IP addresses.

SSRF is typically caused by a lack of proper validation of user-supplied input on the server-side code. Attackers can use this vulnerability to bypass security controls, such as firewalls or access controls, and to perform a variety of malicious activities, such as port scanning, file reading, external resource access, and Distributed Denial of Service (DDoS) attacks.

One important characteristic of SSRF is that the vulnerability is not caused by a problem on the client-side, but instead is on the server-side. Because of that, the attack does not require any action from the victim and the attacker can be also able to make requests from servers that are not directly accessible from the internet by using internal IP addresses. Also, SSRF can be used to perform authentication bypass, by manipulating the target server to generate a request that authenticates as an internal user to access restricted resources.

In summary, SSRF is a serious web application vulnerability that can allow an attacker to gain unauthorized access to sensitive resources and perform malicious actions, by manipulating the target server to send a crafted request. This vulnerability can be used to bypass security controls and perform a variety of malicious activities, making it important to take steps to prevent it by validating user input, limit the scope of what a server can access and use security tools to detect and prevent SSRF attacks.

Here are five examples of SSRF attacks:

- Internal Port Scanning: An attacker could use SSRF to scan the internal ports of a vulnerable server, by crafting a request that targets the server's internal IP address. This can potentially reveal sensitive information, such as open ports or running services.

GET http://127.0.0.1:22
Enter fullscreen mode Exit fullscreen mode

- File Reading: An attacker could use SSRF to read sensitive files on the vulnerable server, by crafting a request that targets a file path on the server's file system.

GET http://127.0.0.1/etc/passwd
Enter fullscreen mode Exit fullscreen mode

- External Resource Access: An attacker could use SSRF to access external resources, by crafting a request that targets an external IP address or domain. This can potentially allow the attacker to gain access to sensitive information or perform unauthorized actions.

GET http://example.com/admin
Enter fullscreen mode Exit fullscreen mode

- SSRF to Bypass Firewall: An attacker could use SSRF to bypass firewalls and access internal resources that are otherwise not directly accessible from the Internet. This can happen when there is a misconfigured URL redirector.

GET http://internal-resource.com:8080
Enter fullscreen mode Exit fullscreen mode

- SSRF to perform DDoS attack: An attacker could use SSRF to perform DDoS attack, by crafting a request that targets a specific IP address or domain with a high number of requests.

GET http://example.com/ GET http://example.com/ GET http://example.com/ GET http://example.com/
Enter fullscreen mode Exit fullscreen mode

To protect against SSRF on AWS, you can use several approaches:

1. Limit the scope of what a server can access: You can use Amazon Virtual Private Cloud (VPC) and security groups to restrict the IP ranges that a server can access. By creating a VPC and security groups, you can create a virtual network that isolates your server from the public internet and only allows traffic to and from specific IP ranges. Additionally, you can create network ACLs to block incoming and outgoing traffic based on specific ports, protocols, and IP ranges.

2. Input validation: It's important to validate user inputs. By validating inputs, you can ensure that the data is in the expected format and only allowing a defined set of inputs, you can prevent attackers from injecting malicious payloads into your application. For example, you can use regular expressions to validate the format of an IP address or URL, or use a whitelist of allowed values.

3. Use of Security Token Service (STS) AssumeRole API: STS is a web service that enables you to secure AWS access for your applications. By using the STS AssumeRole API, you can provide temporary security credentials to your applications and limit the actions and resources that can be accessed by an IAM user or role. This can help to prevent unauthorized access to sensitive resources.

4. Use of VPC endpoint: By creating a VPC endpoint, you can allow traffic to certain AWS services to flow directly to the service over the Amazon private network, bypassing the public internet. This can prevent external access via SSRF.

5. Use of Web Application Firewall (WAF): A WAF can block incoming web requests that contain suspicious patterns or payloads, such as requests that target internal IP addresses or that contain encoded characters or injected payloads. WAF can be used for example in AWS CloudFront, Elastic Load Balancing, or Amazon API Gateway to protect against web-based threats like SSRF.

6. Keep your software up to date: Keep your software up to date, including the operating system, frameworks, libraries, and all applications and services running on your instances. This will help to ensure that any known vulnerabilities are patched and that your server is running the latest security updates.

It's worth noting that no single solution can completely prevent SSRF attacks; instead, it's often a combination of different measures that can help to mitigate the risk. It's also important to keep monitoring your server for any suspicious activity and regularly testing for vulnerabilities.

Top comments (0)