Understanding and Testing for SSRF
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
2 hours 9 minutes
Difficulty
Intermediate
CEU/CPE
2
Video Transcription
00:00
>> Understanding and testing for SSRF.
00:00
Our learning objectives are to describe this SSRF,
00:00
demonstrate and to test for various types of SSRF flaws,
00:00
and explain how to remediate SSRF.
00:00
What is SSRF? We talked about
00:00
this a lot actually in our last lesson.
00:00
But basically an application is
00:00
developed to import data from
00:00
another website or use
00:00
data from another website and you'll
00:00
see that being passed through a parameter in the URL.
00:00
If you're testing for this as
00:00
a web application security tester,
00:00
look for parameters like URL that
00:00
may indicate that another URL
00:00
is being passed in another websites being passed in,
00:00
or just look for something like HTTPS
00:00
that's passed into the URL as
00:00
well another website being passed in.
00:00
Those are very telltale signs
00:00
that you might be able to modify
00:00
that URL in the browser and try to
00:00
reach other sites and do other types of attacks.
00:00
As you can see you're an attacker can modify
00:00
the call by supplying a different URL.
00:00
If you have your own server, you can change that,
00:00
you can see or even a Netcat listener you set that
00:00
up as long as that website internally.
00:00
If you're an internal network you can just modify
00:00
that to your IP address if you have
00:00
your own Netcat listener and see
00:00
if the request is being passed to you.
00:00
If you're out there in the Internet the server is added,
00:00
you can't do that so easily.
00:00
I usually like stand up an EC2 instance,
00:00
I can put Netcat on there or I
00:00
could use a web server and I can see if I can
00:00
modify the URL to contact my website instead
00:00
of the intended website for that application.
00:00
You can also change this not only
00:00
to reach an external server,
00:00
you can try to reach internal ports.
00:00
I talked about this in the previous lesson,
00:00
but let's say if something like Tomcat running on port
00:00
8080 or phpMyAdmin that's
00:00
running on another port like 8888 or
00:00
8080 and it is only accessible by local host,
00:00
meaning that only people
00:00
locally on that box can access it.
00:00
Through SSRF you as the attacker can put that URL into
00:00
the URL bar and change that to
00:00
an internal port and try to
00:00
enumerate the server and other ports on that server.
00:00
You can also enumerate internal endpoints as well.
00:00
I also explained at length why this can be conservative
00:00
or talked about why this can be
00:00
considered an injection attack,
00:00
but we're injecting an arbitrary URL or we can read
00:00
arbitrary files by modifying
00:00
the URL to whatever we want it to be.
00:00
Injecting whatever data we want and
00:00
seeing if we could do something malicious with that.
00:00
You might go Clint well if I can read local files,
00:00
why is RFI the same as SSRF? That's a great question.
00:00
There are incredibly similar attacks.
00:00
When we're using RFI,
00:00
we're trying to execute code.
00:00
Typically this is php they were trying to use.
00:00
We're trying to use php
00:00
to execute code on the victim's server.
00:00
SSRF I've not really seen that.
00:00
That's not to say you can't do it,
00:00
but that's just me being able to
00:00
reach out to my own website with SSRF versus
00:00
RFI remote file inclusion where I'm trying
00:00
to execute code to gain a shell
00:00
on that website or execute
00:00
some php on the victim website itself.
00:00
Why is this bad in the cloud?
00:00
I've done extensive research on this.
00:00
I did a talk with my buddy
00:00
Mark Schmidt on this besides NoVA
00:00
in 2021 I think it's a great. There is free.
00:00
If you go onto YouTube, there's the link there.
00:00
But basically cloud services
00:00
all three of them use a meta-data service.
00:00
What the meta-data service is tells
00:00
meta-data about the server.
00:00
If we're using AWS,
00:00
it's something like an EC2 has a meta-data service.
00:00
Using that I can pull all data above the EC2.
00:00
I can also pull things like
00:00
access keys, secret keys, tokens,
00:00
and then use the AWS Command Line to
00:00
try to do other malicious things on that account.
00:00
If I have access to S3 buckets,
00:00
I can then try to gain access to
00:00
the S3 bucket or I can maybe spin up more EC2s.
00:00
The cloud service makes SSRF
00:00
dangerous because if you can
00:00
reach this meta-data service,
00:00
you now may have access to
00:00
the person's entire account
00:00
and can do all things to that account.
00:00
Please watch that YouTube video.
00:00
It's about an hour. It's long,
00:00
but I think it's worth watching.
00:00
Let's go to the web security testing guide.
00:00
It's right here WSTG-INPV- 19.
00:00
Testing focuses on local or remote file inclusion.
00:00
There we go we talk about LFI and RFI.
00:00
It's very similar to these types of attacks,
00:00
our ability to read
00:00
local files or reach out to other websites.
00:00
Again it's easy to identify
00:00
an application making requests to another website.
00:00
We simply have to look at the get requests that is being
00:00
made to see if there's another website being
00:00
included in there. Here's our example.
00:00
Look for applications that load pages.
00:00
Here's a parameter page equals account.php.
00:00
I'm changing that now to
00:00
my box attacker and trying to use a shell here,
00:00
something like remote file inclusion.
00:00
The second example is 127.0.0.1 local host.
00:00
I'm trying to access a restricted page.
00:00
I couldn't otherwise access my pin point for the lab in
00:00
this lesson hint and also
00:00
pulling local files like we see here file etc password.
00:00
These are some of the attacks.
00:00
But go to the web security testing guide and read
00:00
the whole thing and see what you can do with SSRF.
00:00
It's a short read.
00:00
I highly recommend looking at
00:00
the web security testing guide for SSRF.
00:00
How do we prevent this? We sanitize
00:00
just like any injection attack.
00:00
We sanitize and validate client supplied input.
00:00
Sounds very much like injection
00:00
the ways to prevent that unfortunately URL schema port.
00:00
We're not able to.
00:00
You're looking for attackers who are trying to access
00:00
a different port and trying to prevent
00:00
that from happening by enforcing a strict schema,
00:00
a strict port, a strict destination
00:00
with a positive allow list.
00:00
We want to disable HTTP redirections.
00:00
Again we're only contacting
00:00
whatever site and not
00:00
redirecting to an attacker, control the site.
00:00
We're enforcing deny by default.
00:00
We've seen this throughout these courses.
00:00
Denied by default least privilege so enforced
00:00
by default firewall policies or
00:00
network access control rules
00:00
so that an attacker can't enumerate
00:00
other internal traffic or
00:00
I should say other internal endpoints.
00:00
There's some network controls being in place there.
00:00
The Internet there's some network enforcement there.
00:00
Segment remote resource access functionality in
00:00
separate networks to reduce the impact of SSRF.
00:00
You can see at the bottom here I've included this link,
00:00
again to server side request forgery,
00:00
but there's some helpful links here on how to prevent it.
00:00
In summary I've explained how to describe SSRF,
00:00
had a test for SSRF,
00:00
and ways to remediate or I should say prevent SSRF.
Up Next
Instructed By
