Subscribe to the Salt blog to learn about the latest developments in API Security

Blog Post

Technical

API7:2023 Server Side Request Forgery

Stephanie Best
Jun 6, 2023

Server Side Request Forgery (SSRF), which is number 7 on the OWASP API Security Top 10 as of June 2023, can occur when a user-controlled URL is passed over an API and is honored and processed by the back-end server. The risk for the environment materializes if the back-end server tries to connect to the user-supplied URL, which opens the door for SSRF.

SSRF can come in different shapes and forms, such as:

  • The back-end server establishes a connection to a domain outside the control of the attacker, and while doing so, it can reveal internal credentials that could be used to intensify an attack.
  • A port scan service discovery attack against the back-end server is possible since it connects to its loopback interface over a variety of TCP ports.
  • The back-end server links to internal services that an attacker would not otherwise be able to access, increasing the attack surface and allowing for more chained attack paths.

Learn why apps are built on APIs, the security risk APIs present, and best practices for securing APIs.

Potential Impact of a Server Side Request Forgery Attack

As a result of a successful SSRF attack, attackers can gain access to internal network resources within a web-based environment, compromising security mechanisms within the web service. The impact of an SSRF attack can vary depending on the capabilities of the targeted server and the resources it can access, but possible consequences include unauthorized data disclosure, data tampering, service disruption, or even full compromise of the server and its connected systems.

What Does a Server Side Request Forgery Attack Look Like?

A Server Side Request Forgery (SSRF) API attack occurs when an attacker manipulates an API endpoint to make the targeted server perform unintended requests on behalf of the attacker. SSRF attacks exploit the trust placed in the server by tricking it into making requests to other internal or external resources that the attacker wants to interact with.

During a SSRF attack, the attacker identifies an API endpoint that allows the server to make requests to external resources, then crafts a request to the API endpoint with a manipulated URL or parameter to redirect the server's request to a different target. If they can trick the server into making a request to an internal resource, such as an internal API, database, or local files, the attacker can then access sensitive information, bypassing any intended access controls. Alternatively, if the attacker can make the server send requests to external resources, they might attempt to exploit vulnerabilities in those external systems or abuse the server to launch attacks on other servers, exfiltrating data, or scanning internal networks.

Real-World Example: LEGO’s online services’ SSRF vulnerability

Research published by Salt Labs in December 2022 found that it was possible to gain access to the internal network resources of a major LEGO-owned website, which could potentially compromise the whole security infrastructure at this web service.

Salt Labs’ findings show that the security vulnerabilities found at LEGO’s online services could have allowed an attacker to manipulate service users to gain complete control over their accounts, leak PII and other sensitive data stored internally by the service and gain access to internal production data, which could lead to full compromise of the company’s internal servers.

The issues were disclosed to the security team at the LEGO Group and further testing showed that the issues have since been resolved.

Why Existing Tools Can’t Protect You Against Server Side Request Forgery

Traditional security tool like WAFs and API gateways lack context of API activity and intended business logic. They typically operate at the network or application level and focus on inspecting and filtering traffic based on predefined rules and patterns. While these tools may be able to detect and block certain known SSRF patterns or malicious URLs, they often lack contextual knowledge of the application's specific behavior and intended API interactions. As a result, sophisticated SSRF attacks that involve dynamic API requests will go undetected. Additionally, API gateways and WAFs are designed to manage incoming and outgoing traffic and are unable to monitor access to internal resources that are often targeted in a SSRF attack.

How to Protect Against Server Side Request Forgery API Attacks

API security solutions must be able to identify anomalous API activity where a user-controlled URL is passed over an API and is honored and processed by the back-end server. To do this, API security solutions must be able to continuously baseline normal API behavior and identify dynamic or non-standard API calls that fall outside of typical behavior. API Security solutions should also be able to identify attackers as they probe the API during their reconnaissance phase to gain an understanding of the API structure and business logic.

To learn more about how Salt can help defend your organization from API risks, you can connect with a rep or schedule a personalized demo.

Tags

Salt Security Blog

Sign up for the Salt Newsletter for the latest resources and blog posts.

November 21, 2024

Eric Schwake
Head of Product Marketing

Industry

API (In)security: The Hidden Risk of Black Friday

Learn how, for online retailers, Black Friday represents both a lucrative opportunity and a significant cybersecurity challenge.

Read more

November 5, 2024

Eric Schwake
Head of Product Marketing

Industry

API Security: The Non-Negotiable for Modern Transportation

Airlines and transportation companies heavily rely on APIs to handle sensitive data, from customer information to payment details and flight schedules. While crucial for efficient operations, these APIs are also prime cyberattack targets.

Read more

October 31, 2024

Alexandria Nicosia
Social Media Manager

Industry

Securing APIs in Retail: Safeguarding Customer Data

In the fast-paced retail industry, where customer trust and data protection are critical, API security must be a top priority to ensure both reliability and a seamless customer experience, confidence, and trust in digital services.

Read more

Download this guide for advice on evaluating key capabilities in API Security

Get the guide
Back