🔐
Secure Coding Handbook
  • Secure Coding Handbook
  • Resources
  • Client side
    • Cross-Site Scripting [XSS]
    • Cross-Site Request Forgery [CSRF]
    • Clickjacking
    • Open Redirects
  • Server Side
    • SQL Injections [SQLi]
    • XML External Entity Injection [XXE]
    • OS Command Injection [Command Execution]
    • File Upload
    • Server-Side Request Forgery [SSRF]
    • Host Header Injection
    • Authentication
    • Directory Traversal
    • Template Injection [SSTI]
  • API
    • Broken Object Level Authorization
    • Excessive Data Exposure
    • Mass Assignment
  • Auxiliary
    • Vulnerable Dependency Management
    • Deserialization
    • Logging
  • Solidity
    • Re-Entrancy
Powered by GitBook
On this page
  • 1. Introduction:
  • 2. Typical vulnerable code:
  • 3. Mitigations:
  • 3.1. Whitelisting HTTP requests domains:
  • 3.2. Network-layer firewalls:
  • 4. Takeaways:

Was this helpful?

  1. Server Side

Server-Side Request Forgery [SSRF]

PreviousFile UploadNextHost Header Injection

Last updated 3 years ago

Was this helpful?

1. Introduction:

Server-side request forgery (also known as SSRF) is a web security vulnerability that allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain of the attacker's choosing.

In a standard SSRF attack, the attacker might cause the server to make a connection to internal-only services within the organization's infrastructure. In other cases, they may be able to force the server to connect to arbitrary external systems, potentially leaking sensitive data such as authorization credentials.

A successful SSRF attack can often result in unauthorized actions or access to data within the organization, either in the vulnerable application itself or on other back-end systems that the application can communicate with. In some situations, the SSRF vulnerability might even allow an attacker to perform .

You can read more about SSRF .

2. Typical vulnerable code:

Here's an example of how and why SSRF vulnerability exists. Since the code below is opening the resource located on the given $url without being sanitized or checked whatsoever, the attacker can manipulate the server into forging a request to any URL they desire.

<?php

    /**
    * Check if the 'url' GET variable is set
    *
    * Example request:
    *     http://localhost/?url=http://bobi.io/yakuhito.gif
    */
    if (isset($_GET['url'])){
        $url = $_GET['url'];
        
        /**
        * Send the request to the given
        * $url.
        */
        $image = fopen($url, 'rb');
        
        /**
        * Set the correct response headers.
        */
        header("Content-Type: image/png");
        
        /**
        * Return the content of the image.
        */
        fpassthru($image);
    }
...

Since there are some legitimate reasons to make outbound requests from your server, such as using any third-party APIs(processing payments, error-reporting, etc), we have to examine and find ways of defending against SSRF.

3. Mitigations:

3.1. Whitelisting HTTP requests domains:

An obvious first level of defense is setting up a whitelist for domains that you KNOW your application has to request.

<?php
    # https://stackoverflow.com/questions/37069635/whitelisting-urls-in-php
    $whitelistDomains = [
        'safedomain.io',
        'anothersafe.com'
    ];
    
    function checkUrl($link, $whitelistDomains)
    {
    
        $urlData = parse_url($link);
    
        $domain = isset($urlData['host'])? $urlData['host'] : $link;
    
        if (in_array($domain,$whitelistDomains)){
            return true;
        }
        else{
            return false;
        }   
    
    }
    /**
    * Check if the 'url' GET variable is set
    *
    * Example request:
    *     http://localhost/?url=http://bobi.io/yakuhito.gif
    */
    if (isset($_GET['url'])){
        $url = $_GET['url'];
        
        /**
        * Validate the given url's domain
        */
        if(!checkUrl($url, $whitelistDomains)) {
            return;
        }
        /**
        * Send the request to the given
        * $url.
        */
        $image = fopen($url, 'rb');
        
        /**
        * Set the correct response headers.
        */
        header("Content-Type: image/png");
        
        /**
        * Return the content of the image.
        */
        fpassthru($image);
    }
...

This should still be avoided, since as previously mentioned you most probably already KNOW what domains you will be using for the API calls. Having said that, you can adapt your code to use the SDK(software development kit) for that API, or simply configuring the routes for those API calls in the code itself, rather than taking it from the url parameter.

3.2. Network-layer firewalls:

The objective of the Network layer security is to prevent your VulnerableApplication from performing calls to arbitrary applications. Only allowed routes will be available for this application in order to limit its network access to only those that it should communicate with.

The Firewall component, as a specific device or using the one provided within the operating system, will be used here to define the legitimate flows.

In the schema below, a Firewall component is leveraged to limit the application's access, and in turn, limit the impact of an application vulnerable to SSRF:

4. Takeaways:

Typically, web servers should not do HTTP-requests unless for a specific task, such as using an API, etc. With this in mind, a developer should strictly whitelist the allowed domains/ websites that their application should request to; this can also be enforced on a network-layer, via implementing firewalls.

You can find more details about this topic here:

Apart from this type of firewall, one can leverage network segregation. More to that .

You may still not be satisfied with the mentioned mitigations, should you work with a more complex system. Should that be the case, please read this.

arbitrary command execution
here
in here
comprehensive cheatsheet against SSRF
What is SSRF?
Server Side Request Forgery Prevention [OWASP]