With the increasing adoption of cloud computing services, the security of cloud environments has become a significant concern. One of the most common and dangerous vulnerabilities that can be exploited in cloud environments is Server-Side Request Forgery (SSRF).
In this blog, we will discuss the basics of SSRF. We will also discuss how it can be exploited in cloud environments, its impacts, and remediation techniques.
Server-Side Request Forgery (SSRF) is a type of vulnerability that allows an attacker to send requests from a vulnerable web application.
An SSRF attack occurs when an attacker can control the destination of a request sent by a vulnerable application.
In other words, the attacker can manipulate the request. It could be in a way that it can help to communicate with internal or external systems. These systems are not intended to be accessed by the application.
Server-Side Request Forgery attacks in cloud environments can be even more dangerous as the attacker can access the sensitive data and resources of the entire cloud infrastructure. Cloud environments usually involve multiple instances and servers running different services and applications. An attacker with an SSRF vulnerability can access them all.
For example, an attacker can exploit an SSRF vulnerability in a cloud-based web application that sends requests to a backend server.
The attacker can manipulate the request and redirect it to the internal IP address of a database server or a cloud storage bucket not intended to be accessed by the application.
This can result in data theft, corruption, or even complete control of the cloud infrastructure.
Amazon Elastic Compute Cloud is a service that allows businesses to run applications in the public cloud. It has a service called Instance Metadata.
This enables EC2 instances to access an API that returns data about the instance itself (on the address 169.254.169.254).
An instance metadata API service similar to that of EC2 is also available on Google Cloud. These API endpoints are accessible by default unless they are specifically blocked or disabled by network admins.
The information these services reveal is often extremely sensitive and could potentially allow attackers to escalate SSRFs to serious info leaks and RCE (Remote Code Execution).
If a company is hosting its infrastructure on Amazon EC2, you can query various instance metadata about the host using the endpoints at http://169.254.169.254/latest/meta-data/.
These endpoints reveal information such as API keys, AWS S3 tokens, and passwords.
Here are a few especially useful ones to go after first:
If the company uses Google Cloud, you could try to query Google Instance Metadata API instead.
Google implements some additional security measures for their API endpoints — Querying Google Cloud Metadata APIv1 requires special headers:
“Metadata-Flavor: Google” or “X-Google-Metadata-Request: True”
But this protection is an easy bypass because most endpoints accessible through APIv1. It has easy access via the API v1beta1 endpoints instead. And API v1beta1 does not have the same header requirements.
Here are a few critical pieces of information to go after first:
Amazon and Google aren’t the only web services that provide metadata APIs. However, these two have quite a large market share, so chances are the company that you are testing is on one of these platforms.
If not, https://gist.github.com/BuffaloWill/fa96693af67e3a3dd3fb is a list of other cloud metadata services and things you can try.
The impact of an Server-Side Request Forgery attack in a cloud environment can be severe. An attacker with an SSRF vulnerability can access and exploit the resources and data of the entire cloud infrastructure.
Some of the possible impacts of an SSRF attack in a cloud environment are as follows.
Here are some of the remediation techniques to prevent SSRF attacks in cloud environments:
SSRF is a severe vulnerability that can be particularly dangerous in cloud environments. Attackers can use this vulnerability to gain access to sensitive data, execute arbitrary code, and launch other attacks that can compromise the security of the entire system.
But with the right remediation techniques, you do not need to worry. As discussed, there are various remediation techniques to mitigate the risk of Server-Side Request Forgery attacks.
If you’re looking for a comprehensive solution to secure your web applications, SecureLayer7 can help. With our cutting-edge web application security solutions, you can protect your systems from all types of cyber threats.Get in touch with us today to learn more!