Server Side Request Forgery, SSRF, is a serious web application risk that is on the rise due to the transition to microservices architectures, which often use web-based protocols to communicate between microservices. In short, SSRF allows abusing the vulnerable server by exploiting its privileges to access local resources, and/or as a platform to perform other exploits.
In this video, we will demonstrate the detection and protection of an actual SSRF vulnerability using Hdiv Security tooling. For a longer description of the vulnerability, make sure you review our SSRF deep dive post on BORNSECURE.
Efficient SSRF vulnerability detection
Hdiv Detection (IAST) finds SSRF vulnerabilities through the entire application, including custom code and also external dependencies. Hdiv finds both direct SSRF and blind SSRF vulnerabilities. The IAST runtime approach means that there is no guessing as the detection is based on how the application actually works.
Monitor and block SSRF attacks
Hdiv Protection (RASP) makes it possible to deploy safely code that has SSRF weaknesses with no changes to the code. Trusted servers will be allowed, whereas any other local or remote SSRF exploitation attempt will be blocked and notified. This flexibility allows developers to build complex interconnection functionality but with security guardrails in place.
In the video above, you can see how Insecure Bank, a deliberately insecure training application, contains an SSRF vulnerability in the User Profile use case. First, we demonstrate the detection of the vulnerability, which includes its dynamic aspects (URL and parameter involved) and its static aspects (location in the codebase, including file and line number) so that developers can fix the problem easily. The video also demonstrates the Monitor mode, which will notify and log exploitation attempts, and the Block mode, which will stop any exploitation attempts. Lastly, we show how the team can designate “safe” URL formats that Hdiv will allow in each particular weak spot instance.
If you want more details and try the Hdiv SSRF tooling in your own application, drop us a line and we will get back to you within hours.