Server Side Request Forgery (SSRF), which is number 7 on the OWASP API Security Top 10 as of June 2023, can occur when a user-controlled URL is passed over an API and is honored and processed by the back-end server. The risk for the environment materializes if the back-end server tries to connect to the user-supplied URL, which opens the door for SSRF.
SSRF can come in different shapes and forms, such as:
As a result of a successful SSRF attack, attackers can gain access to internal network resources within a web-based environment, compromising security mechanisms within the web service. The impact of an SSRF attack can vary depending on the capabilities of the targeted server and the resources it can access, but possible consequences include unauthorized data disclosure, data tampering, service disruption, or even full compromise of the server and its connected systems.
A Server Side Request Forgery (SSRF) API attack occurs when an attacker manipulates an API endpoint to make the targeted server perform unintended requests on behalf of the attacker. SSRF attacks exploit the trust placed in the server by tricking it into making requests to other internal or external resources that the attacker wants to interact with.
During a SSRF attack, the attacker identifies an API endpoint that allows the server to make requests to external resources, then crafts a request to the API endpoint with a manipulated URL or parameter to redirect the server's request to a different target. If they can trick the server into making a request to an internal resource, such as an internal API, database, or local files, the attacker can then access sensitive information, bypassing any intended access controls. Alternatively, if the attacker can make the server send requests to external resources, they might attempt to exploit vulnerabilities in those external systems or abuse the server to launch attacks on other servers, exfiltrating data, or scanning internal networks.
Research published by Salt Labs in December 2022 found that it was possible to gain access to the internal network resources of a major LEGO-owned website, which could potentially compromise the whole security infrastructure at this web service.
Salt Labs’ findings show that the security vulnerabilities found at LEGO’s online services could have allowed an attacker to manipulate service users to gain complete control over their accounts, leak PII and other sensitive data stored internally by the service and gain access to internal production data, which could lead to full compromise of the company’s internal servers.
The issues were disclosed to the security team at the LEGO Group and further testing showed that the issues have since been resolved.
Traditional security tool like WAFs and API gateways lack context of API activity and intended business logic. They typically operate at the network or application level and focus on inspecting and filtering traffic based on predefined rules and patterns. While these tools may be able to detect and block certain known SSRF patterns or malicious URLs, they often lack contextual knowledge of the application's specific behavior and intended API interactions. As a result, sophisticated SSRF attacks that involve dynamic API requests will go undetected. Additionally, API gateways and WAFs are designed to manage incoming and outgoing traffic and are unable to monitor access to internal resources that are often targeted in a SSRF attack.
API security solutions must be able to identify anomalous API activity where a user-controlled URL is passed over an API and is honored and processed by the back-end server. To do this, API security solutions must be able to continuously baseline normal API behavior and identify dynamic or non-standard API calls that fall outside of typical behavior. API Security solutions should also be able to identify attackers as they probe the API during their reconnaissance phase to gain an understanding of the API structure and business logic.
Salt Security Chief Marketing Officer, Michael Callahan, reflects on his first 90 days with the company and shares his observations and optimism!
To effectively reduce risk, organizations must adopt a strategy that helps mitigate risk now and ensures long term risk reduction.