API7:2023 Server Side Request Forgery - OWASP API Security Top 10
Learn about API7:2023 Server Side Request Forgery, its impacts, prevention measures, and example attack scenarios. Protect your API from SSRF vulnerabilities.
Overview
This article discusses the threat agents, security weakness, and impacts associated with API7:2023 Server Side Request Forgery. It provides information on how to determine if an API is vulnerable to SSRF and gives examples of attack scenarios. The article also includes preventive measures to avoid SSRF attacks.
Description
API7:2023 Server Side Request Forgery is a security vulnerability that occurs when an API fetches a remote resource without validating the user-supplied URL. This can allow an attacker to send crafted requests to unexpected destinations, bypassing firewalls or VPN protection. The article explains the exploitability, prevalence, and impacts of SSRF attacks. It also highlights the common issues and lack of validation that lead to SSRF vulnerabilities. The impacts of successful exploitation include internal services enumeration, information disclosure, bypassing security mechanisms, and potential denial of service attacks. Modern application development concepts make SSRF more common and dangerous, with technologies like cloud providers, Kubernetes, and Docker exposing management and control channels over HTTP. The article provides example attack scenarios, such as exploiting user-provided profile picture URLs and leveraging webhooks integration. It also details preventive measures like isolating resource fetching mechanisms, using allow lists, disabling HTTP redirections, and validating and sanitizing client-supplied input data.
How to Prevent ?
To prevent API7:2023 Server Side Request Forgery, it is recommended to isolate the resource fetching mechanism in your network and use allow lists for remote origins, URL schemes and ports, and accepted media types. Disable HTTP redirections and use a well-tested URL parser. Additionally, validate and sanitize all client-supplied input data, ensuring that raw responses are not sent to clients.
Example Attack Scenarios:
Scenario #1: Exploiting User-Provided Profile Picture URLs: In this scenario, a social network allows users to upload profile pictures by providing the URL of the image. An attacker can send a malicious URL and initiate port scanning within the internal network using the API endpoint. By analyzing the response time, the attacker can determine if the port is open or not.
Scenario #2: Exploiting Webhooks Integration: In this scenario, a security product integrates with a SIEM (Security Information and Event Management) system using webhooks. During the creation process, the API sends a test request to the provided webhook URL and presents the response to the user. An attacker can leverage this flow and make the API request a sensitive resource, such as an internal cloud metadata service that exposes credentials. By viewing the response from the test request, the attacker can retrieve the credentials of the cloud environment.