Fireside Chat: A New Strategy for Reducing API Risk

Watch On-Demand

API7:2023 Server Side Request Forgery

Stephanie Best
Jun 6, 2023

Server Side Request Forgery (SSRF), which is number 7 on the OWASP API Security Top 10 as of June 2023, can occur when a user-controlled URL is passed over an API and is honored and processed by the back-end server. The risk for the environment materializes if the back-end server tries to connect to the user-supplied URL, which opens the door for SSRF.

SSRF can come in different shapes and forms, such as:

  • The back-end server establishes a connection to a domain outside the control of the attacker, and while doing so, it can reveal internal credentials that could be used to intensify an attack.
  • A port scan service discovery attack against the back-end server is possible since it connects to its loopback interface over a variety of TCP ports.
  • The back-end server links to internal services that an attacker would not otherwise be able to access, increasing the attack surface and allowing for more chained attack paths.

Learn why apps are built on APIs, the security risk APIs present, and best practices for securing APIs.

Potential Impact of a Server Side Request Forgery Attack

As a result of a successful SSRF attack, attackers can gain access to internal network resources within a web-based environment, compromising security mechanisms within the web service. The impact of an SSRF attack can vary depending on the capabilities of the targeted server and the resources it can access, but possible consequences include unauthorized data disclosure, data tampering, service disruption, or even full compromise of the server and its connected systems.

What Does a Server Side Request Forgery Attack Look Like?

A Server Side Request Forgery (SSRF) API attack occurs when an attacker manipulates an API endpoint to make the targeted server perform unintended requests on behalf of the attacker. SSRF attacks exploit the trust placed in the server by tricking it into making requests to other internal or external resources that the attacker wants to interact with.

During a SSRF attack, the attacker identifies an API endpoint that allows the server to make requests to external resources, then crafts a request to the API endpoint with a manipulated URL or parameter to redirect the server's request to a different target. If they can trick the server into making a request to an internal resource, such as an internal API, database, or local files, the attacker can then access sensitive information, bypassing any intended access controls. Alternatively, if the attacker can make the server send requests to external resources, they might attempt to exploit vulnerabilities in those external systems or abuse the server to launch attacks on other servers, exfiltrating data, or scanning internal networks.

Real-World Example: LEGO’s online services’ SSRF vulnerability

Research published by Salt Labs in December 2022 found that it was possible to gain access to the internal network resources of a major LEGO-owned website, which could potentially compromise the whole security infrastructure at this web service.

Salt Labs’ findings show that the security vulnerabilities found at LEGO’s online services could have allowed an attacker to manipulate service users to gain complete control over their accounts, leak PII and other sensitive data stored internally by the service and gain access to internal production data, which could lead to full compromise of the company’s internal servers.

The issues were disclosed to the security team at the LEGO Group and further testing showed that the issues have since been resolved.

Why Existing Tools Can’t Protect You Against Server Side Request Forgery

Traditional security tool like WAFs and API gateways lack context of API activity and intended business logic. They typically operate at the network or application level and focus on inspecting and filtering traffic based on predefined rules and patterns. While these tools may be able to detect and block certain known SSRF patterns or malicious URLs, they often lack contextual knowledge of the application's specific behavior and intended API interactions. As a result, sophisticated SSRF attacks that involve dynamic API requests will go undetected. Additionally, API gateways and WAFs are designed to manage incoming and outgoing traffic and are unable to monitor access to internal resources that are often targeted in a SSRF attack.

How to Protect Against Server Side Request Forgery API Attacks

API security solutions must be able to identify anomalous API activity where a user-controlled URL is passed over an API and is honored and processed by the back-end server. To do this, API security solutions must be able to continuously baseline normal API behavior and identify dynamic or non-standard API calls that fall outside of typical behavior. API Security solutions should also be able to identify attackers as they probe the API during their reconnaissance phase to gain an understanding of the API structure and business logic.

Go back to blog

Download this guide for advice on evaluating key capabilities in API Security

Learn everything you need to know to keep your APIs secure

Get the guide
Close
Back