Analysis of server-side Request Forgery-type network attack (SSRF)

Analysis of server-side Request Forgery-type network attack (SSRF)

Through Server Request Forgery (SSRF), hackers can use your network application to send requests to other applications running on the device, or send requests to servers in the same LAN or remote network. Because the request is sent by your server, the target server may be able to lower the protection level, so this relatively trusted request is allowed.

This article will discuss two types of server-side Request Forgery (SSRF): Trusted server-side Request Forgery (SSRF) and remote server-side Request Forgery (SSRF ), alexander komkov and multi-Mitri Chastain discussed this in the black hat Security Group (PDF.

Request Forgery on trusted servers

Request Forgery on a trusted server refers to sending a request to a predetermined trusted link through the trusted link used by the hacker. For attack purposes, hackers must be able to access the application or find vulnerabilities that can initiate attacks.

The following is a case of a trusted Server Request Forgery (SSRF) attack initiated using Oracle database and public power:

SELECT * FROM myTable @ HostX

EXECUTE Schema. Package. Procedure ('parameter ') @ HostX

The use of trusted links to Oracle databases allows hackers to send requests and receive feedback from "X host. This type of server-side Request Forgery will not cause any warning, because Host X has configured the Oracle database trust configuration.

The number of hurdles that a hacker must pass when launching an attack is successful. Hackers need to use the detection technology to determine the existence of the X host. In addition, he also needs a trusted link to the database. This link can be obtained through data hidden code attacks or the misconfiguration vulnerability of network applications in database access control.

Remote Server Request Forgery

Through Remote Server Request Forgery, hackers can directly use vulnerabilities in network applications or web services to initiate links and send requests to any remote server. From then on, hackers can use these vulnerabilities to perform port scans, launch attacks on other servers, and launch malicious activities on other servers.

From the perspective of hackers, this attack method has many advantages, including being more conducive to hiding malicious behaviors, and being able to use the processing capabilities of the vulnerability server to initiate other attacks, and use multiple servers with the same vulnerability as the launch platform for distributed attacks.

Server-side Request Forgery (SSRF) can be initiated through multiple vulnerabilities. These vulnerabilities can be categorized into multiple types, in which the external entity (XXE) of the Extensible Markup Language (XML) is used to process the file format of the Extensible Markup Language (XML. In addition, CRLF Injection is used for direct socket access, URL Processing of network resources such as cURL and asp net uri, and external links of databases such as PostgreSQL.

Conclusion

We know that the use of SSRF vulnerabilities requires the website to penetrate into the Intranet or the trusted network as a stepping stone, so that the website requires two conditions: first, attackers need to upload webshells and perform operations. Second, they need to find a vulnerable interactive environment to submit resource requests.