Server-side request forgery (SSRF) ranked as the #1 emerging web application security threat in a recent community survey, and for good reason. This attack allows malicious actors to abuse the implicit trust given to web applications to access internal systems and data that are typically protected by firewalls.
|Max Incidence Rate
|Avg Incidence Rate
|Avg Weighted Exploit
|Avg Weighted Impact
Table of Contents
What is Server-Side Request Forgery (SSRF)?
SSRF refers to an attack where a web application is tricked into making requests to internal systems or external sites on behalf of the attacker. This happens because the web app does not properly validate remote resource requests.
For example, a web application may fetch data from a remote site to display on a page. If the destination site is not validated, an attacker can craft a request to access locally hosted systems behind the firewall like databases, internal API endpoints, etc.
This allows the attacker to steal sensitive data, access internal resources, pivot to other attacks, or conduct reconnaissance on the victim’s infrastructure.
SSRF Attack Example
Let’s look at a real-world SSRF attack against Capital One in 2019 that compromised over 100 million customer records:
The web application was hosted on Amazon Web Services (AWS) virtual machines. These VMs can make internal requests to AWS services using AWS identity and access management (IAM) keys.
The attacker found an SSRF vulnerability in the web app. By exploiting this, they were able to steal the IAM keys and use them to access Capital One’s AWS S3 buckets containing sensitive customer data.
This shows how a seemingly minor validation issue resulted in one of the largest data breaches in banking history, incurring massive fines and reputation damage.
Preventing SSRF Vulnerabilities
Here are some key SSRF prevention tips:
- Validate URLs – Scrutinize all URL inputs and remote resource requests. Reject problematic characters, domain restrictions, etc.
- Use whitelists – Only allow requests to permitted, internal domains instead of blacklists.
- Limit access – Restrict which services can interact with remote resources. Use service accounts with limited access.
- Monitor activity – Log and monitor remote resource requests to detect misuse.
Though SSRF attacks are still relatively unknown, their growth potential cannot be ignored. As applications increasingly integrate with internal and external services, we must anticipate and prevent SSRF vulnerabilities through secure development practices.
We hope this post helped in learning about OWASP Top #7 application security risk Server-Side Request Forgery (SSRF). Thanks for reading this post. Please share this post and help secure the digital world. Visit our website, thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive updates like this.