Word Notes 2.1.22
Ep 86 | 2.1.22

OWASP server-side request forgery (noun)


Rick Howard: The word is: OWASP server-side request forgery. 

Rick Howard: Spelled: O for open, W for web, A for application, S for security, P for project, server-side for the application that runs on the server in contrast to running on the user's browser or client-side, and request forgery for unauthorized access request to servers that are supposed to be private.  

Rick Howard: Definition: An attack technique that leverages an unprotected web server as a proxy for attackers to send commands through to other computers.  

Rick Howard: Example sentence: A server-side request forgery, or SSRF attack, often exploits trust relationships between publicly-visible web servers and private internal servers.  

Rick Howard: Origin and context: Dave Wickers and Jeff Williams working for Aspect Security, a software consultant company, published an education piece in 2003 on the top software security coding issues of the day. That eventually turned into the OWASP Top 10, a reference document describing the most critical security concerns for web applications.  

Rick Howard: Today, OWASP is an international team of security professionals led by the Foundation Executive Director and Top 10 project leader, Andrew van der Stock, and dedicated to enabling organizations to develop, purchase, and maintain applications and APIs that can be trusted. Today, there are tens of thousands of members and hundreds of chapters worldwide. In the OWASP 2021 Top 10 vulnerabilities list, SSRF ranks at number 2.  

Rick Howard: In a normal configuration, web servers typically get requests for information that the web server stores locally. On the CyberWire webpage, users can request the list of all the CyberWire podcasts for example. But it also accepts requests for outside information sources. For instance, the Word Notes website page for this word, SSRF, might like to display a YouTube video that somebody else created on the same topic. These two use cases are normal and perfectly acceptable. But a bad actor can use this functionality to get to other internal servers or data not meant for the public.  

Rick Howard: In other words, instead of asking to see the YouTube video, they might ask to see the source code of the super secret project stored on an internal server. Hackers can't get to the super secret server directly, but they might be able to get to the data indirectly by going through the web server. To mitigate this risk, network defenders should follow their zero trust strategy and limit access to internal assets from the web server to only the employees who need it. In practice, this means that at the application level, the web server is checking the source of the request to verify if the entity is authorized access to the data stored on the internal server. This is a lot easier to say than it is to do.  

Rick Howard: According to OWASP, these SSRF attacks are rare, but recently hackers used the technique to successfully compromise to high profile victims: SolarWinds and Capital One.  

Rick Howard: Nerd reference: Professor Messer is a small cybersecurity training company that produces excellent YouTube educational content to prepare it and security professionals for CompTIA A+, CompTIA Network+, and CompTIA Security+ certifications. In this clip, he describes the 2019 server-side request forgery attack against Capital One.  

Professor Messer: This is an attack type that's normally prevented. If you're using a web application firewall or a WAF. In this particular case, they believe that the WAF itself was misconfigured and the attacker was able to query the WAF and gather information directly from that service. 

Professor Messer: We believe that by using this SSRF attack, the attacker was able to get security credentials of the WAF. And by using those security credentials was able to access a bucket on Amazon's simple storage service, or S3. This is a file system that exists in the Amazon cloud. Those credentials were able to access those S3 buckets and inside of those buckets on the Capital One Amazon account or credit card applications that range from 2005 through 2019, that was 106 million names, addresses, phone numbers, emails, and dates of birth that can consist of 140,000 social security numbers, and over 80,000 bank account numbers, all because they were able to perform this forgery that ultimately gave them access to that bucket. 

Rick Howard: Word Notes is written by Nyla Gennaoui, executive produced by Peter Kilpe, and edited by John Petrik and me, Rick Howard. The mix, sound design, and original music have all been crafted by the ridiculously talented Elliott Peltzman. Thanks for listening.