Follow

Q&A: Is WAF protecting from SSRF vulnerabilities?

Question

Is the vulnerability covered by WAF ?

Authentication Access Mechanism Bypass

https://cwe.mitre.org/data/definitions/918.html

  • What are the SSRF protections for WAF?
    • Is/Are there attack signatures that can detect SSRF?

Environment

  • WAF Silverline
  • WAF policy

Answer 

What is SSRF?

Server-side request forgery (also known as SSRF) is a web security vulnerability that allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain of the attacker's choosing.

In typical SSRF examples, the attacker might cause the server to make a connection back to itself, or to other web-based services within the organization's infrastructure, or to external third-party systems.

 

server-side_request_forgery.svg

What is the impact of SSRF attacks?

A successful SSRF attack can often result in unauthorized actions or access to data within the organization, either in the vulnerable application itself or on other back-end systems that the application can communicate with. In some situations, the SSRF vulnerability might allow an attacker to perform arbitrary command execution.

An SSRF exploit that causes connections to external third-party systems might result in malicious onward attacks that appear to originate from the organization hosting the vulnerable application, leading to potential legal liabilities and reputational damage.

 

Is Silverline WAF protecting from SSRF vulnerabilities?

These are some of the SSRF protections that the WAF offer. F5 WAF could protect from this using:

1)    Using attack signatures
(some of the attack signatures are listed below)
 SSRF attempt (Alibaba Metadata Server) (Host Header)
 SSRF attempt (Alibaba Metadata Server) (Parameter)
 SSRF attempt (Alibaba Metadata Server) (URI)
 SSRF attempt (AWS Metadata Server) (Host Header)
 SSRF attempt (AWS Metadata Server) (Parameter)
 SSRF attempt (AWS Metadata Server) (URI)
 SSRF attempt (Google Metadata Server) (Host Header)
 SSRF attempt (Google Metadata Server) (Parameter)
 SSRF attempt (Google Metadata Server) (URI)
 SSRF attempt (Localhost) (Host Header)
 SSRF attempt (Oracle Metadata Server) (Host Header)
 SSRF attempt (Oracle Metadata Server) (Parameter)
 SSRF attempt (Oracle Metadata Server) (URI)
 SSRF attempt (Packetcloud Metadata Server) (Host Header)
 SSRF attempt (Packetcloud Metadata Server) (Parameter)
 SSRF attempt (Packetcloud Metadata Server) (URI)

2)    Using a positive security model
3)    Using meta-character validation on parameters
4)    Using XML Content-profile (SSRF based on XXE)
5)    Detection Null in the Request (this applies to certain scenarios where using SSRF combined with protocol smuggling attacks).

Related Content

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request