SSRF

CWE-918: Server-Side Request Forgery (SSRF)

  • When an API fetches a remote resource without validating the user-supplied URL.

  • The attacker can force the app to send a request to an unexpected destination, such as localhost, bypassing firewalls or VPNs.

The web API stores the path of the files using the file URI scheme, which is used to represent local file paths (Figure 1).

Figure 1: Finding a potential vulnerable-to-SSRF endpoint.

This path is stored under the /supplier-companies/current-user endpoint (Figure 2).

Figure 2: The URI path is now stored in the application.

The /api/v1/supplier-companies PATCH endpoint allows the user to modify the URI path (Figure 3); this should not be the case as it should be dynamically set only by the value defined by the /api/v1/supplier-companies/certificates-of-incorporation POST endpoint.

Figure 3: The URI path can be manually modified by the user.

An attacker could leverage this flaw and read a local file, such as /etc/passwd (Figure 4).

Figure 4: Leveraging SSRF to read a local file.

Exercise

Figure 5: Exploiting another SSRF vulnerability.

Last updated