Server-side request forgery

1. Overview

Server-side request forgery (also known as SSRF) is a web security vulnerability that allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain of the attacker's choosing.

In typical SSRF examples, the attacker might cause the server to make a connection back to itself, or to other web-based services within the organization's infrastructure, or to external third-party systems.

2. Example

<?php

/**
* Check if the 'url' GET variable is set
* Example - http://localhost/?url=http://testphp.vulnweb.com/images/logo.gif
*/
if (isset($_GET['url'])){
$url = $_GET['url'];

/**
* Send a request vulnerable to SSRF since
* no validation is being done on $url
* before sending the request
*/
$image = fopen($url, 'rb');

/**
* Send the correct response headers
*/
header("Content-Type: image/png");

/**
* Dump the contents of the image
*/
fpassthru($image);}

In the above example, the attacker has full control of the url parameter. They can make arbitrary GET requests to any website on the Internet and to resources on the server (localhost).

In the following example, an attacker makes a request to Apache HTTP Servers with mod_status enabled (enabled by default).

GET /?url=http://localhost/server-status HTTP/1.1
Host: example.com

Attackers can also use SSRF to make requests to other internal resources that the web server has access to, which are not publicly available. For example, they can access cloud service instance metadata like AWS/Amazon EC2 and OpenStack. An attacker can even get creative with SSRF and run port scans on internal IPs.

3. Prevention

3.1 Whitelists and DNS resolution

3.2 Response handling

3.3 Disable unused URL schemas

4. References

https://portswigger.net/web-security/ssrf

https://www.acunetix.com/blog/articles/server-side-request-forgery-vulnerability/