External - DNS Query Only

External - DNS Query Only

Overview of the Vulnerability

Server-side request forgery (SSRF) is a vulnerability that exploits the trust relationship between a server and an application, or other backend systems. An attacker can take advantage of this trust to forge server-side traffic and make HTTP requests to external domains. An external SSRF vulnerability was found in this application which allows an attacker to trigger external DNS-based interactions from the application.

Business Impact

External DNS-only SSRF can result in the application and internal network being less secure, as an attacker is able to use the known DNS queries to mount further attacks.

Steps to Reproduce

1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP

2. Use a browser to login and navigate to: {{URL}}

3. Forward the following payload to the endpoint:

{{request}}

1. Observe DNS interaction in the HTTP interception proxy

Proof of Concept (PoC)

The following screenshot(s) demonstrate(s) this vulnerability:

{{screenshot}}

Guidance

Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. Your submission must include evidence of the vulnerability and not be theoretical in nature.

For this type of SSRF, the best evidence is usually a screenshot of incoming requests, and external DNS queries.

Where possible and safe, escalate the SSRF to have some kind of tangible security impact, such as exfiltrating data. If this is possible, provide a full Proof of Concept (PoC). If no impact can be demonstrated other than receiving external interactions, this will most likely be considered as P5/informational severity.

Recommendation(s)

There is no single technique to stop SSRF from occurring. However, implementing the right combination of defensive measures within the application will prevent and limit the impact of SSRF. Some best practices include the following:

• Within the application layer, use allow lists for input validation

• Within the network layer, apply segregation principles to limit the network access of the application to only areas of the network it needs to connect to

• Validate any external domain or IP address that the application attempts send a request to

• Display generic error handling messages to the client when an error occurs, and for all error types. E.g. When invalid data is received and when a request fails server-side.

For more information, refer to the following resources:

• https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html

• https://portswigger.net/web-security/ssrf

• https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/