Kingdom: Input Validation and Representation
Input validation and representation problems ares caused by metacharacters, alternate encodings and numeric representations. Security problems result from trusting input. The issues include: "Buffer Overflows," "Cross-Site Scripting" attacks, "SQL Injection," and many others.
Server-Side Request Forgery
Abstract
The application initiates a network connection to a third-party system using user-controlled data to craft the resource URI.
Explanation
A Server-Side Request Forgery occurs when an attacker can influence a network connection made by the application server. The network connection will originate from the application server's internal IP and an attacker can use this connection to bypass network controls and scan or attack internal resources that are not otherwise exposed.
Example 1: In the following example, an attacker can control the URL to which the server is connecting.
The attacker's ability to hijack the network connection depends on the specific part of the URI that can be controlled, and on the libraries used to establish the connection. For example, controlling the URI scheme lets the attacker use protocols different from
- up://
- ldap://
- jar://
- gopher://
- mailto://
- ssh2://
- telnet://
- expect://
An attacker can leverage this hijacked network connection to perform the following types of attacks:
- Port Scanning of intranet resources.
- Bypass firewalls.
- Attack vulnerable programs running on the application server or on the intranet.
- Attack internal/external web applications using Injection attacks or CSRF.
- Perform a DNS cache poisoning attack.
...
PageReference ref = ApexPages.currentPage();
Map<String,String> params = ref.getParameters();
HttpRequest req = new HttpRequest();
req.setEndpoint(params.get('url'));
HTTPResponse res = new Http().send(req);
The attacker's ability to hijack the network connection depends on the specific part of the URI that can be controlled, and on the libraries used to establish the connection. For example, controlling the URI scheme lets the attacker use protocols different from
http
or https
such as:- up://
- ldap://
- jar://
- gopher://
- mailto://
- ssh2://
- telnet://
- expect://
An attacker can leverage this hijacked network connection to perform the following types of attacks:
- Port Scanning of intranet resources.
- Bypass firewalls.
- Attack vulnerable programs running on the application server or on the intranet.
- Attack internal/external web applications using Injection attacks or CSRF.
- Perform a DNS cache poisoning attack.
desc.dataflow.apex.server_side_request_forgery
Abstract
The application initiates a network connection to a third-party system using user-controlled data to craft the resource URI.
Explanation
A Server-Side Request Forgery occurs when an attacker can influence a network connection made by the application server. The network connection will originate from the application server's internal IP and an attacker can use this connection to bypass network controls and scan or attack internal resources that are not otherwise exposed.
Example: In the following example, an attacker can control the URL to which the server is connecting.
The attacker's ability to hijack the network connection depends on the specific part of the URI that can be controlled, and on the libraries used to establish the connection. For example, controlling the URI scheme lets the attacker use protocols different from
- up://
- ldap://
- jar://
- gopher://
- mailto://
- ssh2://
- telnet://
- expect://
An attacker can leverage this hijacked network connection to perform the following attacks:
- Port Scanning of intranet resources.
- Bypass firewalls.
- Attack vulnerable programs running on the application server or on the intranet.
- Attack internal/external web applications using Injection attacks or CSRF.
- Access local files using file:// scheme.
- On Windows systems, file:// scheme and UNC paths can allow an attacker to scan and access internal shares.
- Perform a DNS cache poisoning attack.
Example: In the following example, an attacker can control the URL to which the server is connecting.
string url = Request.Form["url"];
HttpClient client = new HttpClient();
HttpResponseMessage response = await client.GetAsync(url);
The attacker's ability to hijack the network connection depends on the specific part of the URI that can be controlled, and on the libraries used to establish the connection. For example, controlling the URI scheme lets the attacker use protocols different from
http
or https
like:- up://
- ldap://
- jar://
- gopher://
- mailto://
- ssh2://
- telnet://
- expect://
An attacker can leverage this hijacked network connection to perform the following attacks:
- Port Scanning of intranet resources.
- Bypass firewalls.
- Attack vulnerable programs running on the application server or on the intranet.
- Attack internal/external web applications using Injection attacks or CSRF.
- Access local files using file:// scheme.
- On Windows systems, file:// scheme and UNC paths can allow an attacker to scan and access internal shares.
- Perform a DNS cache poisoning attack.
References
desc.dataflow.dotnet.server_side_request_forgery
Abstract
The application initiates a network connection to a third-party system using user-controlled data to craft the resource URI.
Explanation
A Server-Side Request Forgery occurs when an attacker can influence a network connection made by the application server. The network connection will originate from the application server's internal IP and an attacker can use this connection to bypass network controls and scan or attack internal resources that are not otherwise exposed.
Example: In the following example, an attacker can control the URL to which the server is connecting.
An attacker's ability to hijack the network connection depends on the specific part of the URI that can be controlled, and on the libraries used to establish the connection. For example, controlling the URI scheme lets the attacker use protocols different from
- up://
- ldap://
- jar://
- gopher://
- mailto://
- ssh2://
- telnet://
- expect://
An attacker can leverage this hijacked network connection to perform the following attacks:
- Port Scanning of intranet resources.
- Bypass firewalls.
- Attack vulnerable programs running on the application server or on the intranet.
- Attack internal/external web applications using Injection attacks or CSRF.
- Access local files using the file:// scheme.
- On Windows systems, using the file:// scheme and UNC paths can enable an attacker to scan and access internal shares.
- Perform a DNS cache poisoning attack.
Example: In the following example, an attacker can control the URL to which the server is connecting.
char *url = maliciousInput();
CURL *curl = curl_easy_init();
curl_easy_setopt(curl, CURLOPT_URL, url);
CURLcode res = curl_easy_perform(curl);
An attacker's ability to hijack the network connection depends on the specific part of the URI that can be controlled, and on the libraries used to establish the connection. For example, controlling the URI scheme lets the attacker use protocols different from
http
or https
such as:- up://
- ldap://
- jar://
- gopher://
- mailto://
- ssh2://
- telnet://
- expect://
An attacker can leverage this hijacked network connection to perform the following attacks:
- Port Scanning of intranet resources.
- Bypass firewalls.
- Attack vulnerable programs running on the application server or on the intranet.
- Attack internal/external web applications using Injection attacks or CSRF.
- Access local files using the file:// scheme.
- On Windows systems, using the file:// scheme and UNC paths can enable an attacker to scan and access internal shares.
- Perform a DNS cache poisoning attack.
desc.dataflow.cpp.server_side_request_forgery
Abstract
The application initiates a network connection to a third-party system using user-controlled data to craft the resource URI.
Explanation
A Server-Side Request Forgery occurs when an attacker can influence a network connection made by the application server. The network connection originates from the application server's internal IP and an attacker can use this connection to bypass network controls and scan or attack internal resources that are not otherwise exposed.
Example: In the following example, an attacker can control the URL to which the server is connecting.
The attacker's ability to hijack the network connection depends on the specific part of the URI that can be controlled, and on the libraries used to establish the connection. For example, controlling the URI scheme lets the attacker use protocols different from
- up://
- ldap://
- jar://
- gopher://
- mailto://
- ssh2://
- telnet://
- expect://
An attacker can leverage this hijacked network connection to perform the following attacks:
- Port Scanning of intranet resources.
- Bypass firewalls.
- Attack vulnerable programs running on the application server or on the intranet.
- Attack internal/external web applications using Injection attacks or CSRF.
- Access local files using file:// scheme.
- On Windows systems, file:// scheme and UNC paths can allow an attacker to scan and access internal shares.
- Perform a DNS cache poisoning attack.
Example: In the following example, an attacker can control the URL to which the server is connecting.
...
final server = await HttpServer.bind('localhost', 18081);
server.listen((request) async {
final headers = request.headers;
final url = headers.value('url');
final client = IOClient();
final response = await client.get(Uri.parse(url!));
...
}
The attacker's ability to hijack the network connection depends on the specific part of the URI that can be controlled, and on the libraries used to establish the connection. For example, controlling the URI scheme lets the attacker use protocols different from
http
or https
such as:- up://
- ldap://
- jar://
- gopher://
- mailto://
- ssh2://
- telnet://
- expect://
An attacker can leverage this hijacked network connection to perform the following attacks:
- Port Scanning of intranet resources.
- Bypass firewalls.
- Attack vulnerable programs running on the application server or on the intranet.
- Attack internal/external web applications using Injection attacks or CSRF.
- Access local files using file:// scheme.
- On Windows systems, file:// scheme and UNC paths can allow an attacker to scan and access internal shares.
- Perform a DNS cache poisoning attack.
desc.dataflow.dart.server_side_request_forgery
Abstract
The application initiates a network connection to a third-party system using user-controlled data to craft the resource URI.
Explanation
A Server-Side Request Forgery occurs when an attacker might influence a network connection made by the application server. The network connection originates from the application server's internal IP address and an attacker can use this connection to bypass network controls and scan or attack internal resources that are not otherwise exposed.
Example: In the following example, an attacker can control the URL the server is connecting to.
The attacker's ability to hijack the network connection depends on the specific part of the URI that can be controlled, and the libraries used to establish the connection. For example, controlling the URI scheme enables the attacker to use protocols different from
- up://
- ldap://
- jar://
- gopher://
- mailto://
- ssh2://
- telnet://
- expect://
An attacker can leverage this hijacked network connection to perform the following attacks:
- Port Scanning of intranet resources.
- Bypass firewalls.
- Attack vulnerable programs running on the application server or on the intranet.
- Attack internal/external web applications using Injection attacks or CSRF.
- Access local files using file:// scheme.
- Scan and access internal shares on Windows systems with file:// scheme and UNC paths.
- Perform a DNS cache poisoning attack.
Example: In the following example, an attacker can control the URL the server is connecting to.
url := request.Form.Get("url")
res, err =: http.Get(url)
...
The attacker's ability to hijack the network connection depends on the specific part of the URI that can be controlled, and the libraries used to establish the connection. For example, controlling the URI scheme enables the attacker to use protocols different from
http
or https
like:- up://
- ldap://
- jar://
- gopher://
- mailto://
- ssh2://
- telnet://
- expect://
An attacker can leverage this hijacked network connection to perform the following attacks:
- Port Scanning of intranet resources.
- Bypass firewalls.
- Attack vulnerable programs running on the application server or on the intranet.
- Attack internal/external web applications using Injection attacks or CSRF.
- Access local files using file:// scheme.
- Scan and access internal shares on Windows systems with file:// scheme and UNC paths.
- Perform a DNS cache poisoning attack.
References
desc.dataflow.golang.server_side_request_forgery
Abstract
The application initiates a network connection to a third-party system using user-controlled data to craft the resource URI.
Explanation
A Server-Side Request Forgery occurs when an attacker can influence a network connection made by the application server. The network connection will originate from the application server's internal IP and an attacker can use this connection to bypass network controls and scan or attack internal resources that are not otherwise exposed.
Example: In the following example, an attacker can control the URL to which the server is connecting.
The attacker's ability to hijack the network connection depends on the specific part of the URI that can be controlled, and on the libraries used to establish the connection. For example, controlling the URI scheme lets the attacker use protocols different from
- up://
- ldap://
- jar://
- gopher://
- mailto://
- ssh2://
- telnet://
- expect://
An attacker can leverage this hijacked network connection to perform the following attacks:
- Port Scanning of intranet resources.
- Bypass firewalls.
- Attack vulnerable programs running on the application server or on the intranet.
- Attack internal/external web applications using Injection attacks or CSRF.
- Access local files using file:// scheme.
- On Windows systems, file:// scheme and UNC paths can allow an attacker to scan and access internal shares.
- Perform a DNS cache poisoning attack.
Example: In the following example, an attacker can control the URL to which the server is connecting.
String url = request.getParameter("url");
CloseableHttpClient httpclient = HttpClients.createDefault();
HttpGet httpGet = new HttpGet(url);
CloseableHttpResponse response1 = httpclient.execute(httpGet);
The attacker's ability to hijack the network connection depends on the specific part of the URI that can be controlled, and on the libraries used to establish the connection. For example, controlling the URI scheme lets the attacker use protocols different from
http
or https
like:- up://
- ldap://
- jar://
- gopher://
- mailto://
- ssh2://
- telnet://
- expect://
An attacker can leverage this hijacked network connection to perform the following attacks:
- Port Scanning of intranet resources.
- Bypass firewalls.
- Attack vulnerable programs running on the application server or on the intranet.
- Attack internal/external web applications using Injection attacks or CSRF.
- Access local files using file:// scheme.
- On Windows systems, file:// scheme and UNC paths can allow an attacker to scan and access internal shares.
- Perform a DNS cache poisoning attack.
References
desc.dataflow.java.server_side_request_forgery
Abstract
The application initiates a network connection to a third-party system using user-controlled data to craft the resource URI.
Explanation
A Server-Side Request Forgery occurs when an attacker may influence a network connection made by the application server. The network connection will originate from the application server's internal IP address and an attacker can use this connection to bypass network controls and scan or attack internal resources that are not otherwise exposed.
Example: In the following example, an attacker can control the URL to which the server is connecting.
The attacker's ability to hijack the network connection depends on the specific part of the URI that can be controlled, and on the libraries used to establish the connection. For example, controlling the URI scheme lets the attacker use protocols different from
- up://
- ldap://
- jar://
- gopher://
- mailto://
- ssh2://
- telnet://
- expect://
An attacker can leverage this hijacked network connection to perform the following attacks:
- Port Scanning of intranet resources.
- Bypass firewalls.
- Attack vulnerable programs running on the application server or on the intranet.
- Attack internal/external web applications using Injection attacks or CSRF.
- Access local files using file:// scheme.
- On Windows systems, file:// scheme and UNC paths can allow an attacker to scan and access internal shares.
- Perform a DNS cache poisoning attack.
var http = require('http');
var url = require('url');
function listener(request, response){
var request_url = url.parse(request.url, true)['query']['url'];
http.request(request_url)
...
}
...
http.createServer(listener).listen(8080);
...
The attacker's ability to hijack the network connection depends on the specific part of the URI that can be controlled, and on the libraries used to establish the connection. For example, controlling the URI scheme lets the attacker use protocols different from
http
or https
like:- up://
- ldap://
- jar://
- gopher://
- mailto://
- ssh2://
- telnet://
- expect://
An attacker can leverage this hijacked network connection to perform the following attacks:
- Port Scanning of intranet resources.
- Bypass firewalls.
- Attack vulnerable programs running on the application server or on the intranet.
- Attack internal/external web applications using Injection attacks or CSRF.
- Access local files using file:// scheme.
- On Windows systems, file:// scheme and UNC paths can allow an attacker to scan and access internal shares.
- Perform a DNS cache poisoning attack.
References
desc.dataflow.javascript.server_side_request_forgery
Abstract
The application initiates a network connection to a third-party system using user-controlled data to craft the resource URI.
Explanation
A Server-Side Request Forgery occurs when an attacker can influence a network connection made by the application server. The network connection will originate from the application server's internal IP and an attacker can use this connection to bypass network controls and scan or attack internal resources that are not otherwise exposed.
Example: In the following example, an attacker can control the URL to which the server is connecting.
The attacker's ability to hijack the network connection depends on the specific part of the URI that can be controlled, and on the libraries used to establish the connection. For example, controlling the URI scheme lets the attacker use protocols different from
- up://
- ldap://
- jar://
- gopher://
- mailto://
- ssh2://
- telnet://
- expect://
An attacker can leverage this hijacked network connection to perform the following attacks:
- Port Scanning of intranet resources.
- Bypass firewalls.
- Attack vulnerable programs running on the application server or on the intranet.
- Attack internal/external web applications using Injection attacks or CSRF.
- Access local files using file:// scheme.
- On Windows systems, file:// scheme and UNC paths can allow an attacker to scan and access internal shares.
- Perform a DNS cache poisoning attack.
Example: In the following example, an attacker can control the URL to which the server is connecting.
val url: String = request.getParameter("url")
val httpclient: CloseableHttpClient = HttpClients.createDefault()
val httpGet = HttpGet(url)
val response1: CloseableHttpResponse = httpclient.execute(httpGet)
The attacker's ability to hijack the network connection depends on the specific part of the URI that can be controlled, and on the libraries used to establish the connection. For example, controlling the URI scheme lets the attacker use protocols different from
http
or https
like:- up://
- ldap://
- jar://
- gopher://
- mailto://
- ssh2://
- telnet://
- expect://
An attacker can leverage this hijacked network connection to perform the following attacks:
- Port Scanning of intranet resources.
- Bypass firewalls.
- Attack vulnerable programs running on the application server or on the intranet.
- Attack internal/external web applications using Injection attacks or CSRF.
- Access local files using file:// scheme.
- On Windows systems, file:// scheme and UNC paths can allow an attacker to scan and access internal shares.
- Perform a DNS cache poisoning attack.
References
desc.dataflow.kotlin.server_side_request_forgery
Abstract
The application initiates a network connection to a third-party system using user-controlled data to craft the resource URI.
Explanation
A Server-Side Request Forgery occurs when an attacker may influence a network connection made by the application server. The network connection will originate from the application server's internal IP address and an attacker will be able to use this connection to bypass network controls and scan or attack internal resources that are not otherwise exposed.
Example: In the following example, an attacker can control the URL to which the server is connecting.
The attacker's ability to hijack the network connection depends on the specific part of the URI that can be controlled, and on the libraries used to establish the connection. For example, controlling the URI scheme lets the attacker use protocols different from
- up://
- ldap://
- jar://
- gopher://
- mailto://
- ssh2://
- telnet://
- expect://
An attacker can leverage this hijacked network connection to perform the following attacks:
- Port Scanning of intranet resources.
- Bypass firewalls.
- Attack vulnerable programs running on the application server or on the intranet.
- Attack internal/external web applications using Injection attacks or CSRF.
- Access local files using file:// scheme.
- On Windows systems, file:// scheme and UNC paths can allow an attacker to scan and access internal shares.
- Perform a DNS cache poisoning attack.
Example: In the following example, an attacker can control the URL to which the server is connecting.
$url = $_GET['url'];
$c = curl_init();
curl_setopt($c, CURLOPT_POST, 0);
curl_setopt($c,CURLOPT_URL,$url);
$response=curl_exec($c);
curl_close($c);
The attacker's ability to hijack the network connection depends on the specific part of the URI that can be controlled, and on the libraries used to establish the connection. For example, controlling the URI scheme lets the attacker use protocols different from
http
or https
like:- up://
- ldap://
- jar://
- gopher://
- mailto://
- ssh2://
- telnet://
- expect://
An attacker can leverage this hijacked network connection to perform the following attacks:
- Port Scanning of intranet resources.
- Bypass firewalls.
- Attack vulnerable programs running on the application server or on the intranet.
- Attack internal/external web applications using Injection attacks or CSRF.
- Access local files using file:// scheme.
- On Windows systems, file:// scheme and UNC paths can allow an attacker to scan and access internal shares.
- Perform a DNS cache poisoning attack.
References
desc.dataflow.php.server_side_request_forgery
Abstract
The application initiates a network connection to a third-party system using user-controlled data to craft the resource URI.
Explanation
A Server-Side Request Forgery occurs when an attacker may influence a network connection made by the application server. The network connection will originate from the application server's internal IP address and an attacker will be able to use this connection to bypass network controls and scan or attack internal resources that are not otherwise exposed.
Example: In the following example, an attacker can control the URL to which the server is connecting.
The attacker's ability to hijack the network connection depends on the specific part of the URI that can be controlled, and on the libraries used to establish the connection. For example, controlling the URI scheme lets the attacker use protocols different from
- up://
- ldap://
- jar://
- gopher://
- mailto://
- ssh2://
- telnet://
- expect://
An attacker can leverage this hijacked network connection to perform the following attacks:
- Port Scanning of intranet resources.
- Bypass firewalls.
- Attack vulnerable programs running on the application server or on the intranet.
- Attack internal/external web applications using Injection attacks or CSRF.
- Access local files using file:// scheme.
- On Windows systems, file:// scheme and UNC paths can allow an attacker to scan and access internal shares.
- Perform a DNS cache poisoning attack.
Example: In the following example, an attacker can control the URL to which the server is connecting.
url = request.GET['url']
handle = urllib.urlopen(url)
The attacker's ability to hijack the network connection depends on the specific part of the URI that can be controlled, and on the libraries used to establish the connection. For example, controlling the URI scheme lets the attacker use protocols different from
http
or https
like:- up://
- ldap://
- jar://
- gopher://
- mailto://
- ssh2://
- telnet://
- expect://
An attacker can leverage this hijacked network connection to perform the following attacks:
- Port Scanning of intranet resources.
- Bypass firewalls.
- Attack vulnerable programs running on the application server or on the intranet.
- Attack internal/external web applications using Injection attacks or CSRF.
- Access local files using file:// scheme.
- On Windows systems, file:// scheme and UNC paths can allow an attacker to scan and access internal shares.
- Perform a DNS cache poisoning attack.
References
desc.dataflow.python.server_side_request_forgery
Abstract
The application initiates a network connection to a third-party system using user-controlled data to craft the resource URI.
Explanation
A Server-Side Request Forgery occurs when an attacker may influence a network connection made by the application server. The network connection will originate from the application server's internal IP address and an attacker will be able to use this connection to bypass network controls and scan or attack internal resources that are not otherwise exposed.
Example: In the following example, an attacker can control the URL to which the server is connecting.
The attacker's ability to hijack the network connection depends on the specific part of the URI that can be controlled, and on the libraries used to establish the connection. For example, controlling the URI scheme lets the attacker use protocols different from
- up://
- ldap://
- jar://
- gopher://
- mailto://
- ssh2://
- telnet://
- expect://
An attacker can leverage this hijacked network connection to perform the following attacks:
- Port Scanning of intranet resources.
- Bypass firewalls.
- Attack vulnerable programs running on the application server or on the intranet.
- Attack internal/external web applications using Injection attacks or CSRF.
- Access local files using file:// scheme.
- On Windows systems, file:// scheme and UNC paths can allow an attacker to scan and access internal shares.
- Perform a DNS cache poisoning attack.
Example: In the following example, an attacker can control the URL to which the server is connecting.
url = req['url']
Net::HTTP.get(url)
The attacker's ability to hijack the network connection depends on the specific part of the URI that can be controlled, and on the libraries used to establish the connection. For example, controlling the URI scheme lets the attacker use protocols different from
http
or https
like:- up://
- ldap://
- jar://
- gopher://
- mailto://
- ssh2://
- telnet://
- expect://
An attacker can leverage this hijacked network connection to perform the following attacks:
- Port Scanning of intranet resources.
- Bypass firewalls.
- Attack vulnerable programs running on the application server or on the intranet.
- Attack internal/external web applications using Injection attacks or CSRF.
- Access local files using file:// scheme.
- On Windows systems, file:// scheme and UNC paths can allow an attacker to scan and access internal shares.
- Perform a DNS cache poisoning attack.
desc.dataflow.ruby.server_side_request_forgery
Abstract
The application initiates a network connection to a third-party system using user-controlled data to craft the resource URI.
Explanation
A Server-Side Request Forgery occurs when an attacker may influence a network connection made by the application server. The network connection will originate from the application server's internal IP address and an attacker will be able to use this connection to bypass network controls and scan or attack internal resources that are not otherwise exposed.
Example: In the following example, an attacker can control the URL to which the server is connecting.
The attacker's ability to hijack the network connection depends on the specific part of the URI that can be controlled, and on the libraries used to establish the connection. For example, controlling the URI scheme lets the attacker use protocols different from
- up://
- ldap://
- jar://
- gopher://
- mailto://
- ssh2://
- telnet://
- expect://
An attacker can leverage this hijacked network connection to perform the following attacks:
- Port Scanning of intranet resources.
- Bypass firewalls.
- Attack vulnerable programs running on the application server or on the intranet.
- Attack internal/external web applications using Injection attacks or CSRF.
- Access local files using file:// scheme.
- On Windows systems, file:// scheme and UNC paths can allow an attacker to scan and access internal shares.
- Perform a DNS cache poisoning attack.
Example: In the following example, an attacker can control the URL to which the server is connecting.
def getFile(url: String) = Action { request =>
...
val url = request.body.asText.getOrElse("http://google.com")
ws.url(url).get().map { response =>
Ok(s"Request sent to $url")
}
...
}
The attacker's ability to hijack the network connection depends on the specific part of the URI that can be controlled, and on the libraries used to establish the connection. For example, controlling the URI scheme lets the attacker use protocols different from
http
or https
like:- up://
- ldap://
- jar://
- gopher://
- mailto://
- ssh2://
- telnet://
- expect://
An attacker can leverage this hijacked network connection to perform the following attacks:
- Port Scanning of intranet resources.
- Bypass firewalls.
- Attack vulnerable programs running on the application server or on the intranet.
- Attack internal/external web applications using Injection attacks or CSRF.
- Access local files using file:// scheme.
- On Windows systems, file:// scheme and UNC paths can allow an attacker to scan and access internal shares.
- Perform a DNS cache poisoning attack.
References
desc.dataflow.scala.server_side_request_forgery
Abstract
The application initiates a network connection to a third-party system using user-controlled data to craft the resource URI.
Explanation
A Server-Side Request Forgery occurs when an attacker can influence a network connection made by the application server. The network connection will originate from the application server's internal IP and an attacker can use this connection to bypass network controls and scan or attack internal resources that are otherwise not exposed.
Example 1: Example of an actual user checking details of a given product.
Example 2: Few examples of how an attacker that has control over the
POST /checkDetails HTTP/1.1
url=https://example.com/product/1
url
parameter can tamper the request in Example 1.
POST /checkDetails HTTP/1.1
url=https://localhost.com/admin
POST /checkDetails HTTP/1.1
url=file:///etc/passwd
The attacker's ability to hijack the network connection depends on the specific part of the URI that can be controlled, and on the libraries used to establish the connection. For example, controlling the URI scheme lets the attacker use protocols different from
http
or https
like:- up://
- ldap://
- jar://
- gopher://
- mailto://
- ssh2://
- telnet://
- expect://
An attacker can leverage this hijacked network connection to perform the following attacks:
- Port Scanning of intranet resources.
- Bypass firewalls.
- Access authorization credentials.
- Attack vulnerable programs running on the application server or on the intranet.
- Gain remote code execution.
- Access local files.
References
desc.dynamic.xtended_preview.server_side_request_forgery