Table of Contents
  • Home
  • /
  • Blog
  • /
  • Server-Side Request Forgery (SSRF) – The #10 Web Application Security Risk
January 29, 2024
|
3m

Server-Side Request Forgery (SSRF) – The #10 Web Application Security Risk


Server Side Request Forgery Ssrf The 10 Web Application Security Risk

Server-side request forgery (SSRF) ranked as the #1 emerging web application security threat in a recent community survey, and for good reason. This attack allows malicious actors to abuse the implicit trust given to web applications to access internal systems and data that are typically protected by firewalls.

CWEs Mapped1
Max Incidence Rate2.72%
Avg Incidence Rate2.72%
Avg Weighted Exploit8.28
Avg Weighted Impact6.72
Max Coverage67.72%
Avg Coverage67.72%
Total Occurrences9,503
Total CVEs385

A10:2021 Server-Side Request Forgery (SSRF)

What is Server-Side Request Forgery (SSRF)?

SSRF refers to an attack where a web application is tricked into making requests to internal systems or external sites on behalf of the attacker. This happens because the web app does not properly validate remote resource requests.

For example, a web application may fetch data from a remote site to display on a page. If the destination site is not validated, an attacker can craft a request to access locally hosted systems behind the firewall like databases, internal API endpoints, etc.

This allows the attacker to steal sensitive data, access internal resources, pivot to other attacks, or conduct reconnaissance on the victims infrastructure.

SSRF Attack Example

Lets look at a real-world SSRF attack against Capital One in 2019 that compromised over 100 million customer records:

The web application was hosted on Amazon Web Services (AWS) virtual machines. These VMs can make internal requests to AWS services using AWS identity and access management (IAM) keys.

The attacker found an SSRF vulnerability in the web app. By exploiting this, they were able to steal the IAM keys and use them to access Capital Ones AWS S3 buckets containing sensitive customer data.

This shows how a seemingly minor validation issue resulted in one of the largest data breaches in banking history, incurring massive fines and reputation damage.

Preventing SSRF Vulnerabilities

Here are some key SSRF prevention tips:

  • Validate URLs Scrutinize all URL inputs and remote resource requests. Reject problematic characters, domain restrictions, etc.

  • Use whitelists Only allow requests to permitted, internal domains instead of blacklists.

  • Limit access Restrict which services can interact with remote resources. Use service accounts with limited access.

  • Monitor activity Log and monitor remote resource requests to detect misuse.

Though SSRF attacks are still relatively unknown, their growth potential cannot be ignored. As applications increasingly integrate with internal and external services, we must anticipate and prevent SSRF vulnerabilities through secure development practices.

We hope this post helped in learning about OWASP Top #7 application security risk Server-Side Request Forgery (SSRF). Thanks for reading this post. Please share this post and help secure the digital world. Visit our website, thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive updates like this.  

You may also like these articles:

Rajeshwari KA

Rajeshwari KA is a Software Architect who has worked on full-stack development, Software Design, and Architecture for small and large-scale mission-critical applications in her 18 + years of experience.

Recently added

Explore

View All

Learn More About Cyber Security Security & Technology

“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”

Cybersecurity All-in-One For Dummies - 1st Edition

"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.

Tools

Featured

View All

Learn Something New with Free Email subscription

Subscribe

Subscribe