Server-Side Request Forgery (SSRF) is a critical vulnerability that allows an attacker to force a server to make requests to internal or external resources, often bypassing network restrictions. In cloud environments such as Microsoft Azure, this flaw can be exploited to access the instance metadata API, which can expose temporary credentials for virtual machines.
Azure Metadata API
Azure provides an internal API accessible through the endpoint:
http://169.254.169.254/metadata/instance?api-version=2021-02-01
This API is designed to be accessible only by processes running inside the VM. However, to obtain a valid response, the Metadata: true header must be included in the HTTP request. If a vulnerable web service can be exploited to make arbitrary requests, an attacker could extract critical information such as access keys to Azure resources.
CRLF Injection in PHP cURL
CRLF (Carriage Return + Line Feed) Injection occurs when an attacker is able to inject newline characters into HTTP headers, manipulating the request in unexpected ways.
In PHP, the curl_setopt function can be misconfigured when setting custom headers, allowing an attacker to inject CRLF characters (%0D%0A). This can be used to modify the HTTP request and even add new headers. If the application receives a URL as a parameter from user input, and it is not properly sanitized, an attacker can inject a CRLF and add arbitrary headers to the request:
http://169.254.169.254/metadata/instance?api-version=2021-02-01%0D%0AMetadata:%20true
This may result in the following malicious request:
GET /metadata/instance?api-version=2021-02-01 HTTP/1.1
Host: 169.254.169.254
Metadata: true
The request will be sent to 169.254.169.254, accessing the Azure Metadata API with the required header. To mitigate this vulnerability, it is recommended to always sanitize user input (something you probably already know) and use the CURLOPT_SAFE_UPLOAD and CURLOPT_REDIR_PROTOCOLS filters whenever applicable.
Top comments (0)