Podcasts
Word Notes
Ep 86
Word Notes 2.1.22
Ep 86 | 2.1.22

OWASP server-side request forgery (noun)

Show Notes
Transcript


Rick Howard: The word is: OWASP server-side request forgery. 


Rick Howard: Spelled: O for open, W for web, A for application, S for security, P for project, server-side for the application that runs on the server in contrast to running on the user's browser or client-side, and request forgery for unauthorized access request to servers that are supposed to be private.  


Rick Howard: Definition: An attack technique that leverages an unprotected web server as a proxy for attackers to send commands through to other computers.  


Rick Howard: Example sentence: A server-side request forgery, or SSRF attack, often exploits trust relationships between publicly-visible web servers and private internal servers.  


Rick Howard: Origin and context: Dave Wickers and Jeff Williams working for Aspect Security, a software consultant company, published an education piece in 2003 on the top software security coding issues of the day. That eventually turned into the OWASP Top 10, a reference document describing the most critical security concerns for web applications.  


Rick Howard: Today, OWASP is an international team of security professionals led by the Foundation Executive Director and Top 10 project leader, Andrew van der Stock, and dedicated to enabling organizations to develop, purchase, and maintain applications and APIs that can be trusted. Today, there are tens of thousands of members and hundreds of chapters worldwide. In the OWASP 2021 Top 10 vulnerabilities list, SSRF ranks at number 2.  


Rick Howard: In a normal configuration, web servers typically get requests for information that the web server stores locally. On the CyberWire webpage, users can request the list of all the CyberWire podcasts for example. But it also accepts requests for outside information sources. For instance, the Word Notes website page for this word, SSRF, might like to display a YouTube video that somebody else created on the same topic. These two use cases are normal and perfectly acceptable. But a bad actor can use this functionality to get to other internal servers or data not meant for the public.  


Rick Howard: In other words, instead of asking to see the YouTube video, they might ask to see the source code of the super secret project stored on an internal server. Hackers can't get to the super secret server directly, but they might be able to get to the data indirectly by going through the web server. To mitigate this risk, network defenders should follow their zero trust strategy and limit access to internal assets from the web server to only the employees who need it. In practice, this means that at the application level, the web server is checking the source of the request to verify if the entity is authorized access to the data stored on the internal server. This is a lot easier to say than it is to do.  


Rick Howard: According to OWASP, these SSRF attacks are rare, but recently hackers used the technique to successfully compromise to high profile victims: SolarWinds and Capital One.  


Rick Howard: Nerd reference: Professor Messer is a small cybersecurity training company that produces excellent YouTube educational content to prepare it and security professionals for CompTIA A+, CompTIA Network+, and CompTIA Security+ certifications. In this clip, he describes the 2019 server-side request forgery attack against Capital One.  


Professor Messer: This is an attack type that's normally prevented. If you're using a web application firewall or a WAF. In this particular case, they believe that the WAF itself was misconfigured and the attacker was able to query the WAF and gather information directly from that service. 


Professor Messer: We believe that by using this SSRF attack, the attacker was able to get security credentials of the WAF. And by using those security credentials was able to access a bucket on Amazon's simple storage service, or S3. This is a file system that exists in the Amazon cloud. Those credentials were able to access those S3 buckets and inside of those buckets on the Capital One Amazon account or credit card applications that range from 2005 through 2019, that was 106 million names, addresses, phone numbers, emails, and dates of birth that can consist of 140,000 social security numbers, and over 80,000 bank account numbers, all because they were able to perform this forgery that ultimately gave them access to that bucket. 


Rick Howard: Word Notes is written by Nyla Gennaoui, executive produced by Peter Kilpe, and edited by John Petrik and me, Rick Howard. The mix, sound design, and original music have all been crafted by the ridiculously talented Elliott Peltzman. Thanks for listening.

Word Notes
Podcast Info
HOST(S):
Rick Howard
Rick Howard is the CSO of N2K and the Chief Analyst, and Senior Fellow at the N2K Cyber, formerly CyberWire. His past lives include CSO at Palo Alto Networks, CISO at TASC, the GM at Verisign/iDefense, the Counterpane SOC Director, and the Commander of the Army's Computer Emergency Response Team (CERT). Rick served 25 years in the Army, taught computer science at West Point, edited two books and just published his own book, "Cybersecurity First Principles: A Reboot of Strategy and Tactics" and he is regularly joined at the N2K Cyber's Hash Table by a collection of industry experts.
Schedule: Tuesdays
Creator: CyberWire, Inc.
ADVERTISEMENT
Sponsored by Sonatype
Sponsored by Sonatype

Sonatype’s full-spectrum software supply chain automation platform allows engineering and security teams to manage software quality and governance using a single control plane. The company solves the problem of how to balance speed, quality, intelligence and security at scale, equipping teams with the tools they need to continually code smarter, fix faster, and be secure. Learn more.