SSRF - Detection, Exploitation, and Mitigation Techniques [Part 1]

SSRF (Server Side Request Forgery) is a security vulnerability that allows an attacker to make unauthorized HTTP requests from the backend of a vulnerable web application by manipulating the URL/domain/path parameter of the request. The injected URL can come from either an internal network or a third-party network, and the attacker's goal is usually to gain unauthorized access to internal applications or leak sensitive data.

SSRF attacks can have serious consequences, such as unauthorized actions on third-party applications and remote command execution on vulnerable internal applications. Additionally, attackers can use SSRF to bypass network security measures such as firewalls and gain access to sensitive resources.

Detection techniques for pen-testing with different types of application scenarios

One of the most commonly used methods to detect SSRF vulnerabilities is to set up a dedicated server that can receive both DNS and HTTP requests. The idea is to identify requests made by the user-agent or originating from the IP address of the vulnerable application server. If the server receives a request from the application, it indicates that there might be an SSRF vulnerability present. This method can help in identifying SSRF attacks in real-time and is used extensively by security professionals and researchers. 

Another method of detecting SSRF attacks is based on response timing. In such cases, the attacker learns whether or not a specific resource exists based on the time it takes to receive a response. If the response time is significantly different from what is expected, it may indicate that the attacker is trying to access a resource that does not exist or is not accessible.

URL/domain/path as a part query string or request body - One common scenario where SSRF can occur is when an application takes any URL, domain name, or file path as an input as part of the query string or request body, and the values of these parameters are used in backend processing. SSRF  can happen when an attacker is able to control the input parameters and can inject malicious URL/domain/path. For instance, an attacker could use an image URL or a link URL as input in template generation, or use a file/directory path or an image URL in system/device configuration. In such cases, the attacker could trick the application into sending requests to internal resources or third-party services without the application's knowledge. The most common consequence of such attacks is unauthorized access to sensitive data or resources.

The Referrer header - This header can be manipulated by an attacker to exploit an SSRF vulnerability. If the application uses the referrer header for business logic or analytics purposes, the attacker can modify it to point to a target server they control. The vulnerable application will then make requests to the internal network, allowing them to potentially gain access to internal resources. This can also lead to data exfiltration or unauthorized actions on third-party applications.

PDF Rendering/Preview Functionality - If the application provides the ability to generate PDF files or preview their content based on user input data, there may be a risk of SSRF. This is because the application's code or libraries could render the user-supplied JavaScript content on the backend, potentially leading to SSRF vulnerabilities. Attackers could exploit this vulnerability by injecting a malicious URL or IP address in the PDF file or the preview content, resulting in unauthorized access to internal systems or sensitive data. Therefore, it's important for developers to thoroughly sanitize user input data and restrict access to internal resources to prevent SSRF attacks.

File uploads – If an application includes a file upload feature and the uploaded file is parsed or processed in any way, it may be vulnerable to SSRF attacks. This is because URLs or file paths embedded in uploaded files such as SVG, XML, or PDF files may be used to make unauthorized requests to external resources. Attackers can leverage this vulnerability to perform actions such as gaining unauthorized access to internal applications, leaking sensitive data, or executing commands on third-party applications through vulnerable application’s origin.

Bypassing Whitelisted Domain/URL/Path – An attacker can use various encoding mechanisms and supply malformed URL formats with binary characters for the localhost URL, including techniques like CIDR bypass, dot bypass, decimal/octal/hexadecimal bypass, and domain parser confusion, to evade an application's whitelisted URL/domain/file path configuration. This can allow the attacker to inject a malicious URL or domain name, potentially leading to an SSRF vulnerability.

Checking with different protocols/IP/Methods - An attacker may attempt to exploit an SSRF vulnerability by sending requests with different protocols (e.g. file, dict, sftp, gopher, LDAP, etc.), IP addresses, and HTTP methods (e.g. PUT, DELETE, etc.) to see if the application is vulnerable. For instance, an attacker may try to access internal resources using the file protocol, which can allow them to read files on the server or execute arbitrary code. Similarly, an attacker may try to access resources using less common protocols like dict or gopher, which are not typically used and may not be blocked by firewalls.

The upcoming section of the blog will delve deeper into the topic of SSRF exploitation in the context of cloud-based applications. We will also explore platform-oriented attacks on internal apps and examine various migration strategies to prevent SSRF attacks.

Article by Amish Shah

Lambda functions and CORS implications

CORS (Cross-Origin Resource Sharing) is a web browser security mechanism that restricts web pages from making cross-origin requests, adhering to the Same Origin Policy (SOP). When a web page from one origin requests a resource from another origin, the browser blocks the request unless the server hosting the requested resource explicitly allows it.

In the context of AWS Lambda functions, CORS security is crucial when developing serverless applications that interact with APIs hosted on different domains. Here are some important considerations to keep in mind while working with CORS and Lambda functions:

Set CORS headers properly: When your Lambda function returns a response, it should include the appropriate CORS headers to indicate which origins are allowed to access the resource. This is typically done using the Access-Control-Allow-Origin header, which specifies the domain(s) that are allowed to make requests.

Validate all inputs: To prevent malicious requests from bypassing CORS restrictions, it is important to validate all inputs to your Lambda function. This includes checking for invalid characters, input length limits, and other security checks.

Leverage API Gateway: API Gateway offers built-in support for CORS, allowing you to specify which origins are allowed to access your API. You can configure CORS settings at the API level or at the method level. 

Restrict access: You should limit access to your Lambda function to only the necessary resources and methods. This can be done using IAM (Identity and Access Management) policies to restrict access to specific resources or API methods. 

Having HTTPS: To prevent man-in-the-middle attacks, it is recommended to use HTTPS when making requests to your Lambda function. This will also help ensure that your CORS headers are not tampered with by an attacker.

By following these best practices, you can ensure that your Lambda function is secure and not vulnerable to CORS attacks.

Top Security issues with Lambda functions

AWS Lambda functions are a fundamental element of serverless computing across networks. In serverless architecture, the cloud provider manages the underlying infrastructure, including servers and scaling, while application developers focus on writing code for specific functions or tasks. Lambda functions are small code segments that can be executed in response to events such as data changes, user requests, or scheduled tasks. One of the primary advantages of using Lambda functions is that developers only pay for the time their code runs, which is more cost-effective than paying for a dedicated server or virtual machine. Additionally, the automatic scaling of Lambda functions makes it easier to handle unpredictable or fluctuating workloads. Lambda functions can be integrated with other AWS services such as Amazon S3, Amazon DynamoDB, and Amazon API Gateway to create complex and scalable applications. They can also be used to build microservices, which are small, independent components of an application that can be developed, deployed, and scaled independently. However, Lambda functions are also susceptible to security vulnerabilities. Here are ten critical issues that we have observed lately during our pen-testing:

  • Injection Attacks: Malicious inputs can be used to inject arbitrary code into Lambda functions.
  • Broken Access Controls: Weak or improper access controls can lead to unauthorized access to resources or data.
  • Insecure Storage of Secrets: Sensitive data or credentials stored insecurely within Lambda functions could be accessed by attackers.
  • Insecure Dependencies: Insecure or outdated dependencies can introduce vulnerabilities in Lambda functions.
  • Inadequate Authentication and Authorization: Weak authentication and authorization mechanisms can lead to unauthorized access to Lambda functions.
  • Improper Error Handling: Improper handling of errors in Lambda functions could leak sensitive information that could be exploited by attackers.
  • Insufficient Encryption: Lack of encryption can make data transmitted to or stored within Lambda functions vulnerable to interception and theft.
  • Lack of Monitoring and Logging: Without proper monitoring and logging, it can be difficult to detect and respond to security incidents.
  • Denial of Service Attacks: Malicious actors can use Lambda functions to perform Distributed Denial of Service (DDoS) attacks.
  • Insider Threats: Malicious actors with legitimate access to Lambda functions can exploit vulnerabilities to steal data or perform unauthorized actions.