Harsh Bothra Profile picture
Mar 31 14 tweets 2 min read
#SecurityExplained S-90: CWE Top 25: CWE-918: Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and obtains its contents, but it does not check that the request is routed to the correct destination.

1/n
2/n

Malicious parties can use CWE-918, also known as server-side request forgeries (SSRF), to trick a server into making requests to obtain access to internal infrastructure, sensitive data, and more.
3/n

The use of URLs helps identify the attack surface for SSRF. Although sanitization and allow lists are two more effective techniques available, they can be challenging to manage.
4/n

Server-Side Request Forgery (SSRF) is an attack in which an attacker uses a web application's ability to make unauthorized requests to internal or external services.
5/n

For example, if the program contains functionality that sends requests to other servers and the attacker can tamper with it, your web server can be turned into a proxy.
6/n

As a result, an attacker can reach systems that are otherwise behind a firewall or access private resources on the local host itself, depending on the web server's settings.
7/n

A malicious attacker can use this vulnerability to force a server-side application to send HTTP requests to a domain of their choosing.
8/n

# Impact:

A typical example is information disclosure via a port scan of internal hosts and returned service banners enumerated. In certain circumstances, a detailed error message will be sent to indicate the port's status; in others, a time-based approach will be required.
9/n

If a hosting provider hosts the application, it is possible to reveal instance metadata, such as public SSH keys, credentials, and private IP address blocks.
10/n

In rare situations, the vulnerability can be leveraged to access the contents of local files on the webserver. This is accomplished by employing a different handler: 'file:/'.
11/n

An attacker may be able to view web application source code, configuration files, and other sensitive data due to this.
12/n

# Mitigations:

Keep an allowlist of DNS or IP addresses that the web application is allowed to visit.

If a denylist is required, ensure that all user input is thoroughly validated and that no private IP addresses are allowed.
13/n

Avoid delivering raw responses from the server-side to the client-side by sanitizing all user input used in URLs and other requests.

To restrict all superfluous traffic, use firewall policies or network access control rules.
n/n

Assure that only HTTP(S) protocols can be used, and if different handlers are required, ensure that a robust allowlist is employed. It's also essential to avoid HTTP redirection.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Harsh Bothra

Harsh Bothra Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @harshbothra_

Apr 1
14 Payload Repositories to find all the required Payloads & Attack Vectors.

🧵
1/

1. Payloads All The Things

github.com/swisskyrepo/Pa…
2/

2. Payload Box
github.com/payloadbox/
Read 16 tweets
Apr 1
#SecurityExplained S-91: CWE Top 25:
CWE-611: Improper Restriction of XML External Entity Reference

1/n
2/n

When an application executes an XML document that contains entities pointing to external URIs, CWE-611 vulnerabilities can occur.
3/n

These URIs resolve to assets outside the application's control, resulting in potentially dangerous execution of activities prescribed by the external assets.
Read 14 tweets
Mar 30
11 MindMaps I have created that you may find useful!

🧵
1/

1. XML Attacks

xmind.net/m/xNEY9b/
2/

2. Account Takeover Techniques

xmind.net/m/M3WEqG/
Read 14 tweets
Mar 30
#SecurityExplained S-89: CWE Top 25: CWE-522: Insufficiently Protected Credentials

The product transfers or saves authentication credentials, but it does so improperly that it can be intercepted or retrieved by unauthorized individuals.

1/n
2/n

This flaw relates to an architectural security approach that has been misdesigned. Another form of credential attack uses flaws in how passwords are encoded, saved, and handled by a web application, network, or software system.
3/n

Risky development practices, such as storing passwords in insecure locations, storing credentials in plaintext, storing user passwords using poor or reproducible cryptographic techniques, or using hard-coded credentials, generate vulnerabilities....
Read 8 tweets
Mar 29
#SecurityExplained S-88: CWE Top 25: CWE-732: Incorrect Permission Assignment for Critical Resource

The product defines permissions for a security-critical resource so that unwanted actors can read or modify it.

1/n
2/n
When a resource's permissions are set to allow access to a broader range of actors than is required, sensitive information may be exposed, or undesired parties may modify the resource.
3/n

This is very risky when the resource is tied to program configuration, execution, or sensitive user data.
Read 15 tweets
Mar 28
9 Free Practice Labs to Master Cross-Site Scripting
1/

1. PortSwigger XSS Labs
portswigger.net/web-security/c…
2/

2. Google XSS Game

xss-game.appspot.com
Read 12 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(