SSRF server request forgery vulnerability
SSRF server request forgery vulnerability
Server-side Request Forgery Attacks (Server-side Request Forgery)
Many web applications provide the function of obtaining data from other servers.
Using the URL specified by the user, the web application can fetch the image. Download files, read file content, etc.
This feature, if used maliciously, can exploit the flawed web application as a proxy to attack remote and local servers. This form of attack is called a Server-side Request Forgery attack.
- In general, SSRF attacks target internal systems that cannot be accessed from the external network. (Precisely because it is initiated by the server, it can request to the internal system connected to it and isolated from the external network).
Most of the reasons for the formation of SSRF are that the server provides the function of obtaining data from other server applications and does not filter and restrict the target address.
For example, batch get the text content of web pages from the specified URL, load the pictures of the specified address, download and so on.
Attackers can use ssrf to achieve five main types of attacks:
1. Port scanning can be performed locally on the external network and the internal network where the server is located to obtain banner information of some services.
2. Attack applications running on the intranet or local (such as overflow).
3. Fingerprint identification of intranet web applications by accessing default files.
4. Attacking web applications on the internal and external networks, mainly attacks that can be achieved by using get parameters (such as struts?, SQli, etc.).
5. Use the file protocol to read local files, etc.
php-curl extension
[1] Obtain web resources - crawler
[2] weserver - obtain interface data
[3] FTP - download files
- php.ini
curl other protocols
[1] dict protocol: used to build an online dictionary service
[2] gopher protocol: an information search system that only supports text, not images, and has been replaced by HTTP
php dangerous function
How to use SSRF
1. Through the sharing function: share web content through URL address:
In the early sharing applications, in order to provide a good user experience, the WEB application in the sharing function usually obtains the <tilte></title> in the webpage content of the target URL address. Label or <meta name=“descr ipt ion” content= “” />The text content of the content in the label is displayed to provide a better user experience. For example, in the sharing function of Renren: http://widget.renren.com /*****?res«xjrceUrl=https://www.nsfocus.com
obtains the title tag and related text content through the target URL address. However, if there is no filtering and restriction on the range of the target address in this function, there is an SSRF vulnerability.
2. Transcoding service: The web page content of the original address is adjusted through the URL address to make it suitable for browsing on the mobile phone screen: due to the mobile phone screen The relationship between the size of the web page will cause a lot of inconvenience when browsing the content of the web page directly. Therefore, some companies provide the transcoding function to convert the content of the web page into a style suitable for browsing on the mobile phone screen through relevant means. For example, companies such as Baidu, Tencent, and Digou all provide online transcoding services.
3. Online translation: translate the content of the corresponding text through the URL address. Domestic companies that provide this function include Baidu, Youdao, etc.
4. Picture loading and downloading, loading or downloading pictures through URL address: picture loading remote picture address This function is used in many places, but most of them are relatively secret. For example, in some companies, pictures on their own picture servers are loaded for use Display. (Some people may have questions here, why is there also a problem with loading images on the image server, why not just use the img tag directly? , That's right, but developers usually use the img tag to have a better user experience. Make some minor adjustments to the picture such as watermarking, compression, etc., so it may cause SSRF problems)・
5. Picture and article collection function: The pictures and article collections in the article collection here are similar to the function 1. In the sharing function, the content of the title and text in the URL address is obtained as a display, the purpose is for a better user experience, and Picture collection is similar to function 4, picture loading.
6. Unpublished api implementation and other functions for calling URLs: Similar functions here include website ratings provided by 360JS, and some websites obtain remote address xml files by tapping i to load content.
pikachuSSRF
SSRF Repair Defense
1. It is easier to filter the returned information and verify the remote server's response to the request. If the web application is to fetch a certain type of file. Then verify whether the returned information meets the standard before displaying the returned result to the user. Unify the error information to prevent users from judging the port status of the remote server based on the error information.
2. Restrict the requested port to the port commonly used by http, for example, 80, 443, 8080.8090.
3. Blacklist intranet ip. Avoid applications being used to obtain intranet data and attack the intranet.
4. Disable unnecessary protocols. Only http and https requests are allowed. Can prevent problems like file:///.gopher://, ftp://, etc. cause.
5. Unify error messages
6. Set URL whitelist