If you are not familiar with the concept of Server-Side Request Forgery (SSRF), we suggest that you review the article entitled “What is Server-Side Request Forgery ?“.
Server-side Request Forgery is the result of the failure to anticipate the malicious crafting of URLs to unauthorized internal resources from untrusted input. Design advice and remediation are similar to Open Redirect vulnerabilities.
Strategies for avoiding and/or fixing Server-Side Request Forgery include:
- Design around it: Unless there is a reason why URL information must be passed, avoid the problem entirely by implementing an alternative design.
- Validation: When a URL value is received by the application, it must be white-list validated against the domain of possible legitimate values and rejected if it is not a member.
- Indirect References: In some cases, it may be possible to pass a (cryptographically strong) random value that represents the target URL and maintain a token:URL mapping on the server. Since URLs are never passed and the tokens are (practically) un-guessable, the vulnerability is eliminated.
Although tangential to the topic, in all cases in which an authorized access might occur, testers must first secure the owner’s permission to test access to that resource.
For additional information about detecting Server-Side Request Forgery (SSRF) within a web-application, please see the article entitled “How To Test For Server-Side Request Forgery“.
About Affinity IT Security
We hope you found this article to be useful. Affinity IT Security is available to help you with your security testing and/or to train your developers and testers. Contact us to learn how to partner with us to protect your enterprise.
Although every effort has been made to provide the most useful and highest quality information, it is unfortunate but inevitable that some errors, omissions, and typographical mistakes will appear in these articles. Consequently, Affinity IT Security will not be responsible for any loss or damages resulting directly or indirectly from any error, misunderstanding, software defect, example, or misuse of any content herein.