Server Side Request Forgery ('SSRF')

php.server_side_request_forgery

Severity

critical

Resource

Channel

Language

Php

Description

Improper validation of external input used to retrieve the content of a URL ('SSRF').

SSRF vulnerabilities arise when an application accepts user input to create or control URLs or networking requests without appropriate validation or restriction. This can allow attackers to craft malicious requests to sensitive internal endpoints or external services on behalf of the server.

Rationale

Similar to other injection attacks, an SSRF vulnerability allows an attacker to manipulate the URLs used by a server-side application, to point to unexpected internal or external resources.

By carefully selecting the URLs, the attacker can read or update internal resources, such as cloud metadata, internal services, or databases. In addition, SSRF can bypass network access controls like firewalls and VPNs.

An SSRF vulnerability can be exploited by threat actors for network reconnaissance, data exfiltration, denial of service or pivot attacks to other systems.

For instance, consider a PHP application that fetches resources based on user-provided URLs:

<?php
$url = $_GET['url']; // User-provided input
$response = file_get_contents($url); // Potentially dangerous
echo $response;
?>

Remediation

To prevent SSRF vulnerabilities in applications, follow these remediation practices:

Input Validation and Whitelisting: Always sanitize and validate user-supplied data in URLs using a whitelist of known, safe URLs. Reject any URLs not meeting established criteria to limit exposure to external or unauthorized internal requests.
Use a Proxy or Gateway Approach: Route all outbound requests through a proxy or gateway, allowing finer control over which requests should be allowed and logged.
Network Segmentation and Firewalls: Implement network segmentation to restrict the application’s ability to access sensitive internal services. Use firewalls to block traffic by default and allow only specific, necessary requests.
Monitoring and Logging: Implement comprehensive request logging and monitoring solutions to detect suspicious outbound requests indicative of SSRF attempts.

By following these recommended practices, applications can effectively defend against SSRF vulnerabilities, ensuring that server-side requests are controlled and properly secured from unauthorized exploitation.

A sanitized version of the previous example would look like this:

<?php
$trusted_domains = ['example.com', 'api.example.com'];
$url = $_GET['url'];
$parsed_url = parse_url($url);
$host = $parsed_url['host'];

if (in_array($host, $trusted_domains)) {
    $response = file_get_contents($url);
    echo $response;
} else {
    die('Invalid domain.');
}
?>

Configuration

The detector has the following configurable parameters:

sources, that indicates the source kinds to check.
neutralizations, that indicates the neutralization kinds to check.

Unless you need to change the default behavior, you typically do not need to configure this detector.

References

CWE-918 : Server-Side Request Forgery (SSRF).
OWASP - Top 10 2021 Category A10 : Server-Side Request Forgery (SSRF).
Server-Side Request Forgery Prevention Cheat Sheet, in OWASP Cheat Sheet Series.