Although the security community has been aware of server-side request forgeries (SSRF) for a while, it’s only since the Capital One breach that they hit mainstream awareness.
However, most of the public documentation following the breach focused on the attacking side of the equation (i.e. how to trigger and exploit an SSRF vulnerability) rather than on how to defend against SSRF exploits. As the broader pentesting community has noted, most of the available information on defending against SSRF is repurposed from the information the community generated on offense.
Why is this the case? Well, one of the main reasons for the focus on the attacking side is how abstract the vulnerability is, and how varied the circumstances are where the primitive it offers can be used for nefarious purposes.
This is unfortunate because the vulnerability is at least as complicated to defend against as it is to exploit. Moreover, mainstream application security solutions are poorly suited to handle how context-heavy the vulnerability is: you can’t find an SSRF just by the look of it, you need to catch it in action. This means that the vulnerability needs to be addressed by the application code, or at least very close to it.
At Sqreen, we’ve spent a lot of time studying the defense side of SSRF. Today, we’re releasing an SSRF reference guide which goes into detail on the technical sources and implications of SSRF so that you can better protect against them. Moreover, we provide suggestions on how to mitigate the various issues with details on the trade-off each method has. Finally, we touch on Sqreen’s SSRF RASP protection and explain both how it works today, and how we’re expecting to see it evolve to better tackle the challenges from this vulnerability.
Check out the guide and let us know what you think! We hope it’s useful for you as you consider how to improve your application security.