Web Application Vulnerabilities Runtime SCA Findings
Looking for the vulnerability index of Invicti's legacy products?
Invicti Enterprise Acunetix Standard & Premium
Auxiliary systems SSRF - Vulnerability Database

Auxiliary systems SSRF

Description

The web application or its auxiliary systems (such as caching servers, proxies, or analytics tools) use attacker-controlled values from HTTP headers to initiate server-side requests. This creates a Server-Side Request Forgery (SSRF) vulnerability, allowing attackers to force the server to send requests to internal network resources, localhost services, or external systems that would otherwise be inaccessible. This vulnerability effectively turns the server into a proxy for malicious requests, bypassing network security controls like firewalls.

Remediation

Implement the following security controls to prevent SSRF attacks:

1. Input Validation and Sanitization: Validate and sanitize all user-supplied input, especially HTTP headers, before using them in server-side requests. Use allowlists of permitted domains, protocols, and IP ranges rather than denylists.

2. Disable Unnecessary URL Schemes: Restrict URL schemes to only those required (typically https:// and http://). Block dangerous schemes like file://, gopher://, dict://, and ftp://.

3. Network Segmentation: Isolate systems that make external requests in a dedicated network segment with restricted access to internal resources. Use a dedicated, sandboxed host or service for fetching remote resources.

4. Block Internal IP Ranges: Prevent requests to private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), localhost (127.0.0.0/8), link-local addresses (169.254.0.0/16), and IPv6 equivalents.

5. Example Implementation (Python):

import ipaddress
import urllib.parse

def is_safe_url(url):
    try:
        parsed = urllib.parse.urlparse(url)
        # Only allow http and https
        if parsed.scheme not in ['http', 'https']:
            return False
        # Resolve hostname to IP
        ip = ipaddress.ip_address(socket.gethostbyname(parsed.hostname))
        # Block private and reserved ranges
        if ip.is_private or ip.is_loopback or ip.is_link_local:
            return False
        return True
    except:
        return False

6. Use Authentication: Require authentication for all outbound requests and implement strict access controls on what resources can be accessed.

References

Cracking the lens: targeting HTTP's hidden attack-surface
What is Server Side Request Forgery (SSRF)?
SSRF bible. Cheatsheet

Related Vulnerabilities

HTTP/2 pseudo-header server side request forgery High
Common tags: SSRF OOB Vulnerabilities API SSRF
Reverse proxy misrouting through HTTP/2 pseudo-headers (SSRF) Medium
Common tags: SSRF OOB Vulnerabilities API SSRF
SAML Consumer Service XSLT injection High
Common tags: SSRF OOB Vulnerabilities API SSRF
Unvalidated JWT jku parameter High
Common tags: SSRF OOB Vulnerabilities API SSRF
SAML Consumer Service External Dereference SSRF Medium
Common tags: SSRF OOB Vulnerabilities API SSRF

Severity

High

Classification

CWE-918
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

SSRF
OOB Vulnerabilities
API SSRF