10. SSRF

What is SSRF?

SSRF flaws occur whenever a web application is fetching a remote resource without validating the user-supplied URL. It allows an attacker to coerce the application to send a crafted request to an unexpected destination, even when protected by a firewall, VPN, or another type of network ACL.

As modern web applications provide end-users with convenient features, fetching a URL becomes a common scenario. As a result, the incidence of SSRF is increasing. Also, the severity of SSRF is becoming higher due to cloud services and the complexity of architectures.

Scenario 1

If the network architecture is unsegmented, attackers can map out internal networks and determine if ports are open or closed on internal servers from connection results or elapsed time to connect or reject SSRF payload connections.

Scenario 2

Attackers can access local files or internal services to gain sensitive information such as file:///etc/passwd</span> and http://localhost:28017/.

Scenario 3

Most cloud providers have metadata storage such as http://169.254.169.254/. An attacker can read the metadata to gain sensitive information.

Scenario 4

The attacker can abuse internal services to conduct further attacks such as RCE or DoS.

Reference

A10 Server Side Request Forgery (SSRF) - OWASP Top 10:2021

A10 Server Side Request Forgery (SSRF) - OWASP