Server Side Request Forgery

red and white heart shaped decor

Server Side Request Forgery (SSRF) attacks take place when the server calls a user-submitted URL without verification.

Imagine that a user can add a URL that is sent to the server. The server fetches the information and returns it to be displayed for the user. If the URL is not verified, a potential attacker could send a URL such as: “file:///” and obtain the list of root directories on your server. Other example of uses follow:

  • extracting the password files from a Linux server using “file:///etc/passwd
  • access MongoDb administrative interface using “http://localhost:28017/
  • access metadata storage of cloud services using “http://169.254.169.254/
  • build a map of the network and open ports by running multiple calls, which provides more opportunities for accessing sensitive information accessible in the network

This vulnerability takes advantage of the fact that the calls from the server are not limited by firewalls and monitoring systems, as would calls through the web interface.

To avoid this vulnerability:

  • sanitize and validate URLs before using them for fetching data
  • do not send raw responses to clients
  • disable HTTP redirections
  • segment resources in multiple networks to limit the area of potential attacks
  • block all but essential intranet traffic through “deny by default” firewall policies or network access control rules

More sophisticated attacks can take advantage of URL encoding or base64 encoding.

A particularly difficult attack to prevent takes advantage of DNS records. It first passes the validation, but changes the DNS records by the time the call is made. This is called DNS rebinding, or “time of check, time of use” (TOCTOU) race conditions.

Scroll to Top