2.4 Given a scenario, recommend controls to mitigate attacks and software vulnerabilities.
📘CompTIA CySA+ (CS0-003)
1. What is SSRF?
Server-Side Request Forgery (SSRF) is a type of attack where an attacker tricks a server into making requests to other systems on its behalf.
Instead of the attacker directly connecting to internal or protected systems, they use the vulnerable server as a proxy to send requests.
👉 In simple terms:
- The attacker controls input (like a URL)
- The server uses that input to make a request
- The attacker forces the server to access something it should not
2. How SSRF Works
Many applications allow users to provide URLs for features such as:
- Fetching web pages
- Downloading files
- Retrieving images
- API integrations
If the server does not properly validate these inputs, an attacker can:
- Provide a malicious URL
- The server sends a request to that URL
- The attacker gains access to internal or restricted resources
3. Typical SSRF Flow
- Application accepts a URL from a user
- Server processes the URL and makes a request
- Attacker replaces the URL with a malicious one
- Server connects to:
- Internal network systems
- Localhost services
- Cloud metadata services
- Response is returned to attacker or used internally
4. Why SSRF is Dangerous
SSRF is powerful because the attack:
- Comes from inside the network
- Bypasses firewall rules
- Uses trusted server permissions
Possible impacts:
- Access to internal systems (not exposed to internet)
- Retrieval of sensitive data
- Scanning internal network
- Accessing cloud service metadata
- Remote command execution (in severe cases)
5. Common SSRF Targets
1. Internal Web Services
- Internal APIs (e.g.,
http://internal-api) - Admin panels
2. Localhost (127.0.0.1)
- Services running on the same server
- Database dashboards
- Monitoring tools
3. Cloud Metadata Services
- Used in cloud platforms (very critical)
- Example:
http://169.254.169.254
Attackers can retrieve:
- Access tokens
- Credentials
- Configuration data
6. Types of SSRF
A. Basic SSRF
- Server returns response to attacker
- Attacker directly sees data
B. Blind SSRF
- Server does NOT return response
- Attacker cannot see output
- Used for:
- Network scanning
- Triggering internal actions
7. Indicators of SSRF (Exam Important)
Watch for:
- Applications that accept URLs as input
- Unexpected outbound traffic from server
- Requests to internal IP ranges
- Access to localhost services
- Unusual DNS requests
8. Common Causes of SSRF
- Lack of input validation
- Trusting user-supplied URLs
- No restriction on outbound requests
- Poor network segmentation
- Allowing server to access internal and external resources freely
9. Mitigation Techniques (VERY IMPORTANT FOR EXAM)
1. Input Validation
- Validate and sanitize all user inputs
- Reject:
- Internal IP ranges (e.g., 127.0.0.1, 10.0.0.0/8)
- Loopback addresses
- Private network ranges
2. Allowlist (Preferred Method)
- Only allow trusted domains
- Example:
- Allow only specific API endpoints
- Block all other URLs
3. Network Segmentation
- Separate internal services from public-facing servers
- Use firewalls to restrict communication
4. Disable Unnecessary Protocols
- Block protocols such as:
- file://
- ftp://
- gopher://
5. Restrict Outbound Traffic
- Use firewall rules to limit server requests
- Only allow necessary external communication
6. Use Metadata Protection (Cloud Environments)
- Block access to metadata IP (169.254.169.254)
- Use IAM roles with least privilege
7. Authentication for Internal Services
- Do not rely only on network location
- Require authentication even for internal APIs
8. Use Web Application Firewall (WAF)
- Detect and block malicious requests
- Monitor suspicious URL patterns
9. Logging and Monitoring
- Track outbound requests
- Alert on:
- Internal IP access
- Unusual request destinations
10. Best Practices Summary
- Never trust user input
- Use allowlists instead of blocklists
- Restrict server outbound connections
- Protect internal services with authentication
- Monitor and log traffic continuously
11. Exam Tips (Must Remember)
- SSRF = server makes unauthorized requests
- Attack uses server as a proxy
- Targets:
- Internal network
- Localhost
- Cloud metadata
- Best defense:
- Allowlist + outbound filtering + input validation
- Very common in:
- Web apps
- APIs
- Cloud environments
12. Quick Revision
| Topic | Key Point |
|---|---|
| SSRF | Server tricked into making requests |
| Risk | Access internal systems |
| Target | Localhost, internal APIs, metadata |
| Type | Basic and Blind |
| Defense | Allowlist, validation, firewall rules |
