Scribd
Upload
52 views

SSRF

This document discusses server-side request forgery (SSRF) attacks. SSRF is possible when a web application allows external URLs as input without validation or sanitization. This can allow an attacker to spoof internal service requests and potentially access restricted systems and data. Specific vulnerabilities mentioned include protocol smuggling and URL parsing issues across programming languages. Mitigations include examining server-side the destination IP of any URL and ensuring it is not an internal resource. The document also provides references for further information on SSRF and related topics.

Uploaded by

Rakesh Chandra
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
52 views

SSRF

This document discusses server-side request forgery (SSRF) attacks. SSRF is possible when a web application allows external URLs as input without validation or sanitization. This can allow an attacker to spoof internal service requests and potentially access restricted systems and data. Specific vulnerabilities mentioned include protocol smuggling and URL parsing issues across programming languages. Mitigations include examining server-side the destination IP of any URL and ensuring it is not an internal resource. The document also provides references for further information on SSRF and related topics.

Uploaded by

Rakesh Chandra
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 11

SSRF Server-Side

Request Forgery
Its not a vulnerability! Its an attack!

Bypass Firewall and Touch Intranet.

Compromise Internal Service

• Redis
• Elastic
• Struts2
Protocol smuggling!

WHY IS SSRF
POWERFUL?
Protocols that are suitable to
smuggle
HTTP Based Protocol Text-Based Protocol
• Elastic, CouchDB, • FTP, SMTP, Redis.
Docker.
URL Parsing Issues
It's all about the
inconsistency between URL
parser and requester.

Several programing
languages suffered from this cURL, PHP, Python.
issue.

URL PARSING
ISSUES
Specification in RFC2396,
RFC3986 but just SPEC

Why validating a URL is


hard?
WHATWG defined a
contemporary
implementation based on
RFC but different languages
still have their own
implementations
When a web
application SSRF
causes the cloud to
rain credentials &
more.
Goal was to access other user’s files but it
was hard to guess the bucket names and
the directories.

Shortly after starting the first penetration


test, we found an interesting SSRF
vulnerability which allowed us to send
HTTP requests to internal or restricted
resources and view their responses.

we could enumerate open ports and


proxy our request to other sites using the
vulnerable website among others.
As a result, AWS access and secret keys were retrieved which
could be used to extract more information from AWS.
 The destination of the provided URL
should be examined on the server-side
in order to ensure that its IP address
does not point at any internal resources.
 Any requests that do not meet this
requirement should be logged, with a
MITIGATION suitable error message being returned
to the user.
 Based on our target and its usage, a
better approach would be to create a
verification mechanism to ensure that
the destination website belongs to the
user.
 References
 http://docs.aws.amazon.com/AWSEC2/latest/Us
erGuide/ec2-instance-metadata.html
 http://docs.aws.amazon.com/cli/latest/reference
/ec2/
 https://github.com/nccgroup/Scout2
THANK YOU!
 https://www.blackhat.com/docs/us-
17/thursday/us-17-Tsai-A-New-Era-Of-SSRF-
Exploiting-URL-Parser-In-Trending-
Programming-Languages.pdf

You might also like