OWASP Top 10 Part 10: Server-Side Request Forgery

Let’s talk about SSRFs (Server Side Request Errors), which allow attackers to trick a server into making unwanted requests to internal or external resources. Describes Blue Team and Red Team methods for detecting and preventing such vulnerabilities, as well as recommendations for validating URLs and restricting access to protected resources.

How to protect the server from dangerous requests and avoid data leakage

Server-side request errors (SSRFs) are vulnerabilities that allow attackers to trick a server into making requests to internal resources or external resources that it should not be requesting.

1. Use of unreliable data for requests:

• Description: Using data collected from users to generate queries without proper validation.

• Example: An application that allows users to specify URLs to request internal resources, which could lead to information leakage.

2. Interception of requests to internal resources:

• Description: Attackers can trick a server into making requests to internal or protected resources.

• Example: Using vulnerabilities to access internal APIs or services that should not be externally accessible.

3. Disclosure of confidential information:

• Description: Using requests to obtain confidential information from servers.

• Example: Gaining access to sensitive data that should not be externally accessible, such as internal interfaces or administrative panels.

Blue team

1. URL verification and validation

Ensure that all URLs coming from users are properly validated and checked for validity. In PHP (Laravel), you can validate URLs for API requests to allow only safe domains:

2. Restriction of access to internal resources

Avoid accessing internal resources or protected APIs through external requests. Add restrictions for access to local resources and services using configurations:

Use whitelists of URLs for requests to avoid accessing unauthorized or unsafe resources.

 Red team

1. Detection of SSRF vulnerabilities

Test your application for SSRF vulnerabilities using different URLs. Send requests that try to access local resources or internal APIs:

Use testing tools such as Burp Suite or OWASP ZAP to automate requests from potentially dangerous URLs.

2. URL validation testing

Try bypassing URL validation mechanisms to see if internal resources can be accessed. Test whether your request can go through invalid or unverified URLs:

Modifying query parameters to check whether unauthorized URLs or data that could reveal a vulnerability are being processed.