You should know about Server-Side Request Forgery

This is a post about the most dangerous vulnerability most web applications face, one step that we took at Fly to mitigate it, and how you can do the same. Server-side request forgery (SSRF) is application security jargon for “attackers can get you

Thomas Ptacek, Dj Walker-Morgan, Thomas Ptacek
10 min readadvanced
--
View Original

Overview

This article discusses Server-Side Request Forgery (SSRF), a critical vulnerability in web applications, and presents Smokescreen, an egress proxy developed by Stripe to mitigate such risks. It highlights the insidious nature of SSRF vulnerabilities and provides practical guidance on implementing Smokescreen to secure outbound web requests.

What You'll Learn

1

How to implement Smokescreen to secure outbound HTTP requests

2

Why SSRF is a significant threat to web applications

3

How to configure access control lists (ACLs) in Smokescreen

Prerequisites & Requirements

  • Basic understanding of web application security concepts
  • Familiarity with using Git and Docker(optional)

Key Questions Answered

What is Server-Side Request Forgery (SSRF)?
Server-Side Request Forgery (SSRF) is a vulnerability that allows attackers to make HTTP requests from the server on behalf of the application. This can lead to unauthorized access to internal resources that are not normally accessible to external users, making SSRF a serious security risk.
How does Smokescreen help mitigate SSRF vulnerabilities?
Smokescreen acts as an egress proxy that ensures outgoing requests are safe by validating that the requested IP addresses are publicly routable. It prevents the application from making requests to internal IP ranges, thus protecting sensitive resources from being accessed by attackers.
What are the common patterns of SSRF vulnerabilities?
There are two main patterns of SSRF vulnerabilities: one where users can provide URLs for the server to call directly, and another where user data is incorporated into URLs. Attackers exploit these patterns to trick the server into making requests to unintended locations.
How can I deploy Smokescreen on Fly?
To deploy Smokescreen on Fly, you can use the commands 'fly init mysmokescreen --import source.fly.toml --org personal', followed by 'fly set secret PROXY_PASSWORD="somesecret"' and 'fly deploy'. This sets up the application with Fly's internal networking.

Technologies & Tools

Some links below are affiliate links. We may earn a commission if you make a purchase.

Backend
Smokescreen
An egress proxy used to manage and secure outgoing HTTP requests.
Tools
Docker
Used for building and running the Smokescreen application locally.

Key Actionable Insights

1
Implementing Smokescreen can significantly enhance the security of your web application by preventing SSRF attacks.
By routing all outgoing requests through Smokescreen, you can ensure that no internal resources are exposed to potential attackers, thus reducing the risk of data breaches.
2
Regularly review and update your access control lists (ACLs) in Smokescreen to adapt to changing security needs.
As your application evolves, so do the potential threats. Keeping your ACLs updated ensures that only authorized requests are allowed, maintaining a strong security posture.
3
Educate your development team about the risks of SSRF and how to recognize potential vulnerabilities in their code.
Awareness and training can empower developers to write more secure code and implement best practices that minimize the risk of SSRF vulnerabilities.

Common Pitfalls

1
Failing to properly validate user input when allowing URL submissions can lead to SSRF vulnerabilities.
Without strict validation, attackers can exploit these inputs to direct the server to sensitive internal resources, compromising the application's security.
2
Neglecting to update access control lists (ACLs) in Smokescreen can lead to unauthorized access.
As applications evolve, the ACLs must be reviewed regularly to ensure they reflect the current security requirements and prevent unauthorized requests.

Related Concepts

Web Application Security
Access Control Mechanisms
Egress Proxy Configurations