OWASP server-side request forgery (noun) [Word Notes] - Hacking Humans

Summary4 min read

Podcast Summary: Hacking Humans – Episode on OWASP Server-Side Request Forgery

Podcast Information:

Title: Hacking Humans
Host/Author: N2K Networks
Description: Deception, influence, and social engineering in the world of cybercrime.
Episode: OWASP Server-Side Request Forgery (noun) [Word Notes]
Release Date: June 3, 2025

Introduction to OWASP and SSRF

In this episode of Hacking Humans, Rick Howard delves into the intricacies of Server-Side Request Forgery (SSRF), a critical vulnerability highlighted by the Open Web Application Security Project (OWASP). SSRF is recognized as a significant threat in the OWASP Top 10 Vulnerabilities list, emphasizing its potential impact on web security.

What is Server-Side Request Forgery (SSRF)?

At [01:28], Rick Howard defines SSRF as follows:

"An attack technique that leverages an unprotected web server as a proxy for attackers to send commands through to other computers."

He breaks down the acronym:

Open
Web
Application
Security
Project

Server-Side refers to applications running on the server, contrasting with client-side operations in the user's browser. Request Forgery involves unauthorized access requests to servers intended to remain private.

Historical Context and OWASP's Role

Rick provides a brief history of OWASP, noting that it originated in 2003 when Dave Wickers and Jeff Williams of Aspect Security published an educational piece on top software security coding issues. This initiative ultimately evolved into the OWASP Top 10, a widely recognized document outlining the most critical security concerns for web applications.

Today, OWASP boasts tens of thousands of members and hundreds of chapters worldwide, under the leadership of Executive Director Andrew Van der Stock. The organization is dedicated to enabling organizations to develop, purchase, and maintain trustworthy applications and APIs.

In the 2021 OWASP Top 10 Vulnerabilities list, SSRF is ranked at number 10, underscoring its importance in web security paradigms.

How SSRF Attacks Function

Rick explains that in a standard web server configuration, requests for information are handled locally—for example, retrieving a list of Cyberwire podcasts or embedding a YouTube video on a webpage. These functionalities are typically secure; however, they also offer entry points for malicious actors.

An SSRF attack can exploit these functionalities by manipulating the server to access internal resources not intended for public exposure. For instance, instead of requesting a YouTube video, an attacker might probe for sensitive data like the source code of a confidential project stored on an internal server. This indirect access bypasses direct security measures, exploiting the trust relationship between publicly visible web servers and private internal servers.

Mitigation Strategies

To counter SSRF threats, Rick emphasizes the importance of a zero-trust strategy. This involves limiting access to internal assets from the web server strictly to authorized employees. At the application level, this translates to rigorous verification of the request sources, ensuring that only entities with proper authorization can access sensitive data on internal servers.

He acknowledges the challenges in implementing these measures, noting:

"This is a lot easier to say than it is to do."

Despite the inherent difficulties, adhering to OWASP’s guidelines and best practices significantly enhances an organization's defense against SSRF attacks.

Real-World Examples: SolarWinds and Capital One

Rick underscores the real-world implications of SSRF vulnerabilities by citing two high-profile breaches: SolarWinds and Capital One.

At [05:32], he describes a specific incident involving Capital One:

"In this particular case, they believe that the WAF itself was misconfigured and the attacker was able to query that WAF and gather information directly from that service. By using this SSRF attack, the attacker was able to get security credentials of the WAF and access a bucket on Amazon's simple storage service or S3. Inside those buckets were credit card applications containing 106 million names, addresses, phone numbers, emails, dates of birth, 140,000 Social Security numbers, and over 80,000 bank account numbers."

This example highlights how an SSRF attack can lead to extensive data breaches, affecting millions and causing significant reputational and financial damage to organizations.

Conclusion

Rick Howard wraps up the discussion by reiterating the severity of SSRF vulnerabilities and the importance of proactive security measures. By understanding the mechanics of SSRF and implementing robust mitigation strategies, organizations can better safeguard their internal resources against such sophisticated attacks.

Notable Quotes:

Rick Howard [01:28]:
"An attack technique that leverages an unprotected web server as a proxy for attackers to send commands through to other computers."
Rick Howard [05:32]:
"That was 106 million names, addresses, phone numbers, emails and dates of birth. That consisted of 140,000 Social Security numbers and over 80,000 bank account numbers, all because they were able to perform this forgery that ultimately gave them access to that bucket."

This episode provides a comprehensive overview of SSRF, emphasizing its definition, historical context, operational mechanisms, mitigation strategies, and real-world implications. Through expert insights and poignant examples, listeners gain a deep understanding of the threats posed by SSRF and the critical importance of robust web security practices.

Loading summary

Transcript6 lines

[00:02]
Host
You're listening to the Cyberwire network, powered by N2K.
[00:13]
Dave
Hey everybody, Dave here. I've talked about Deleteme before and I'm still using it because it still works. It's been a few months now, and I'm just as impressed today as I was when I signed up. Deleteme keeps finding and removing my personal information from data broker sites, and they keep me updated with detailed reports so I know exactly what's been taken down. I'm genuinely relieved. Knowing my privacy isn't something I have to worry about every day. The Delete Me team handles everything. It's the set it and forget it peace of mind. And it's not just for individuals. Deleteme also offers solutions for businesses, helping companies protect their employees personal information and reduce exposure to social engineering and phishing threats. And right now, our listeners get a special deal 20% off your delete me plan. Just go to JoinDeleteMe.com N2K and use promo code N2K at checkout. That's JoinDeleteMe.com N2k code N2K.
[01:29]
Rick Howard
The word is OWASP server side request forgery spelled O for open, W for Web, A for application, S for security, P for project server side for the application that runs on the server, in contrast to running on the user's browser or client side and request forgery for unauthorized access requests to servers that are supposed to be private. Definition an attack technique that leverages an unprotected web server as a proxy for attackers to send commands through to other computers. Example Sentence A server side Request forgery or SSRF attack often exploits trust relationships between publicly visible Web servers and private internal servers. Origin and Context Dave Wickers and Jeff Williams, working for Aspect Security, a software consultant company, published an education piece in 2003 on the top software security coding issues of the day that eventually turned into the OWASP Top 10, a reference document describing the most critical security concerns for Web applications. Today, OWASP is an international team of security professionals led by the foundation executive director and top 10 project leader, Andrew Van der Stock, and dedicated to enabling organizations to develop, purchase, and maintain applications and APIs that can be trusted. Today, there are tens of thousands of members and hundreds of chapters Worldwide in the OWASP 2021 Top 10 Vulnerabilities list, SSRF ranks at number 10. In a normal configuration, Web servers typically get requests for information that the web server stores locally on the Cyberwire web page. Users can request a list of all the Cyberwire podcasts, for example, but it also accepts requests for outside information sources. For instance, the WordNotes website page for this word SSRF might like to display a YouTube video that somebody else created on the same topic. These two use cases are normal and perfectly acceptable, but a bad actor can use this functionality to get to other internal servers or data not meant for the public. In other words, instead of asking to see the YouTube video, they might ask to see the source code of the super secret project stored on an internal server. Hackers can't get to the super secret server directly, but they might be able to get to the data indirectly by going through the web server. To mitigate this risk, network defenders should follow their zero trust strategy and limit access to internal assets from the web server to only the employees who need it. In practice, this means that at the application level, the web server is checking the source of the request to verify if the entity is authorized access to the data stored on the internal server. This is a lot easier to say than it is to do. According to owasp, these SSRF attacks are rare, but recently hackers used the technique to successfully compromise two high profile victims, SolarWinds and Capital One. Nerd Reference Professor Messer is a small cybersecurity training company that produces excellent YouTube educational content to prepare it and security professionals for CompTIA, a CompTIA network and COMPTIA security certifications. In this clip he describes the 2019 server side request forgery attack against Capital One.
[05:32]
Host
This is an attack type that's normally prevented if you're using a web application firewall or a waf. In this particular case, they believe that the WAF itself was misconfigured and the attacker was able to query that WAF and gather information directly from that service. We believe that by using this SSRF attack the attacker was able to get security credentials of the WAF and by using those security credentials was able to access a bucket on Amazon's simple storage service or S3. This is a file system that exists in the Amazon cloud. Those credentials were able to access those S3 buckets, and inside of those buckets on the Capital One Amazon account were credit card applications that ranged from 2005 through 2019. That was 106 million names, addresses, phone numbers, emails and dates of birth. That consisted of 140,000 Social Security numbers and over 80,000 bank account numbers, all because they were able to perform this forgery that ultimately gave them access to that bucket.
[06:49]
Rick Howard
Word Notes is written by Nyla Genoi, executive produced by Peter Kilpe and edited by John Petrick and me, Rick Howard. The mix, sound design and original music have all been crafted by the ridiculously talented Elliot Peltzman. Thanks for listening. Foreign.
[07:21]
Dave
And now a word from our sponsor. Spy Cloud Identity is the new battleground and attackers are exploiting stolen identities to infiltrate your organization. Traditional defenses can't keep up. Spy Cloud's holistic identity threat protection helps security teams uncover and automatically remediate hidden exposures across your users from breaches, malware and phishing to neutralize identity based threats like account takeover, fraud and ransomware. Don't let invisible threats compromise your business. Get your free corporate darknet exposure report@spycloud.com cyberwire and see what attackers already know. That's spycloud.com cyberwire.