Overview: SSRF

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
2 hours 9 minutes
Difficulty
Intermediate
CEU/CPE
2
Video Transcription
00:00
>> Let's look at the final category of
00:00
the OWASP Top 10 in 2021,
00:00
Server-Side Request Forgery or SSRF for short.
00:00
Our learning objectives are to describe
00:00
the changes from OWASP Top 10 in 2017
00:00
to 2021 and explain the one CWE that makes up SSRF.
00:00
Now if you've been following this course,
00:00
we've not seen this before.
00:00
We've not seen only one CWE we've seen 40,
00:00
many CWEs that fall into a category.
00:00
This is probably the most
00:00
straightforward because there's only one.
00:00
SSRF, this is the first time it's
00:00
made into the OWASP Top 10.
00:00
But that's not to say it hasn't been
00:00
spoken about it actually was in
00:00
the survey in 2017 that 550 people filled out,
00:00
but it didn't make it into the
00:00
official top 10 at that point in time.
00:00
What did make it into the top 10 in 2017 was
00:00
XXE or XML external entities
00:00
which allows for server-side request forgery.
00:00
In a way, SSRF did appear in the top 10 in 2017,
00:00
just in a different way.
00:00
What happened was there were other categories like
00:00
vulnerable and outdated components that were voted
00:00
on and actually I think that one was number 2,
00:00
was selected as number 2 from the survey in 2021.
00:00
SSRF was voted number 1.
00:00
The difference being that
00:00
vulnerable and outdated components,
00:00
there was enough data to back it
00:00
up being in and of itself
00:00
in the OWASP Top
00:00
10 without the community having to vote on it.
00:00
SSRF needed the community vote on it because it just has
00:00
such a low incident rate compared to
00:00
all the other categories as we'll see in the next slide.
00:00
Again, there's one CWE,
00:00
SSRF, the max incident rate is really tiny,
00:00
2.72 and same with
00:00
the average incident rate they're both the same number.
00:00
The average weighted exploitability is
00:00
pretty high, 8.28,
00:00
the average weighted impact 6.72 so high,
00:00
and the total occurrence is just under 10,000.
00:00
Is the lowest that we've seen so
00:00
far and there are 385 CVEs remember
00:00
specific for an application piece of
00:00
software mapped to this one CWE.
00:00
I highly recommend that you go to this link at
00:00
the bottom of the screen to look at the official website.
00:00
Now, SSRF, we'll talk about this in
00:00
the next lesson but it's a type of injection attack.
00:00
It's not an injection,
00:00
of course it has its own category.
00:00
But that's to say we've seen during all of
00:00
these modules that there's
00:00
some similarities between all of them.
00:00
We've seen things like cross-site scripting that once had
00:00
its own category now included an injection.
00:00
XXE is included in another category it doesn't
00:00
have its own category and of itself.
00:00
SSRF, you may be able to put it into
00:00
something like injection but
00:00
because the community voted on it,
00:00
here it is at number 10.
00:00
Let's look at the CWE.
00:00
I took a screenshot from the miter website.
00:00
I don't want to read the whole thing
00:00
verbatim for CWE 918.
00:00
But basically, if you look at the URI,
00:00
if within the URL bar I should say,
00:00
you see like a parameter or something
00:00
that's reaching out to another website https,
00:00
not just the root of the website, https example.com.
00:00
You saw a parameter in there that also said like
00:00
URL equals https website.com.
00:00
As an attacker, you may be able to modify that HTTPS
00:00
and contact either an external website
00:00
or an internal website.
00:00
A lot of the time in a server there are other ports where
00:00
things are running they're just
00:00
blocked from attackers getting to it.
00:00
The firewall is up,
00:00
doesn't let you reach other ports like maybe port
00:00
8080 is accessible to the local host
00:00
only but it's not accessible to
00:00
external attackers or external traffic.
00:00
With SSRF you can reach
00:00
these internal ports that you normally couldn't.
00:00
That's not to say you can't do other things like if
00:00
you're on your browser right now you do file colon,
00:00
three forward slashes I have a Mac so I could do
00:00
Etsy password and that's
00:00
P-A-S-S-W-D. [NOISE] If I do that,
00:00
I can pull my Etsy password file.
00:00
You'll also do something like TFTP there's
00:00
an example down here go for PHP.
00:00
It's not just another website we
00:00
can pull files locally or we can mess with
00:00
PHP if the server is using
00:00
PHP to do things like read the PHP files.
00:00
The trivia question here is
00:00
the alternate term for this is cross-site port attack
00:00
XSPA I've never seen that before
00:00
but I found that on the miter website
00:00
so we'll trivia for you.
00:00
In summary we've explained one SSRF,
00:00
why it was added at the top 10 in 2021 and
00:00
we've described the one CWE that makes up SSRF.
00:00
In the next lesson we'll explain it in
00:00
more detail so hang on.
Up Next
Scenario: Facebook SSRF Dashboard
5m
Lab: SSRF
45m