- The Guide to Finding and Reporting Web Vulnerabilities
- About the Author
- About the Tech Reviewer
- Foreword
- Introduction
- Who This Book Is For
- What Is In This Book
- Happy Hacking!
- 1 Picking a Bug Bounty Program
- 2 Sustaining Your Success
- 3 How the Internet Works
- 4 Environmental Setup and Traffic Interception
- 5 Web Hacking Reconnaissance
- 6 Cross-Site Scripting
- 7 Open Redirects
- 8 Clickjacking
- 9 Cross-Site Request Forgery
- 10 Insecure Direct Object References
- 11 SQL Injection
- 12 Race Conditions
- 13 Server-Side Request Forgery
- 14 Insecure Deserialization
- 15 XML External Entity
- 16 Template Injection
- 17 Application Logic Errors and Broken Access Control
- 18 Remote Code Execution
- 19 Same-Origin Policy Vulnerabilities
- 20 Single-Sign-On Security Issues
- 21 Information Disclosure
- 22 Conducting Code Reviews
- 23 Hacking Android Apps
- 24 API Hacking
- 25 Automatic Vulnerability Discovery Using Fuzzers
Prevention
SSRFs happen when servers need to send requests to obtain external resources. For example, when you post a link on Twitter, Twitter fetches an image from that external site to create a thumbnail. If the server doesn’t stop users from accessing internal resources using the same mechanisms, SSRF vulnerabilities occur.
当服务器需要发送请求以获取外部资源时,就会发生 SSRF。例如,当您在 Twitter 上发布链接时,Twitter 将从外部站点获取图像以创建缩略图。如果服务器未通过相同的机制阻止用户访问内部资源,就会发生 SSRF 漏洞。
Let’s look at another example. Say a page on public.example.com allows users to upload a profile photo by retrieving it from a URL via this POST request:
让我们看另一个例子。假设公共示例网站上的一个页面允许用户通过通过此 POST 请求从 URL 检索上传个人资料照片。
POST /upload_profile_from_url
Host: public.example.com
(POST request body)
user_id=1234&url=https://www.attacker.com/profile.jpegTo fetch profile.jpeg from attacker.com , the web application would have to visit and retrieve contents from attacker.com. This is the safe and intended behavior of the application. But if the server does not make a distinction between internal and external resources, an attacker could just as easily request a local file stored on the server, or any other file on the network. For instance, they could make the following POST request, which would cause the web server to fetch the sensitive file and display it as the user’s profile picture:
从攻击者.com 获取 profile.jpeg,Web 应用程序必须访问并检索攻击者.com 的内容。这是应用程序的安全和预期行为。但是,如果服务器不区分内部和外部资源,则攻击者可以轻松请求存储在服务器上的本地文件或网络上的任何其他文件。例如,他们可以发起以下 POST 请求,这将导致 Web 服务器获取敏感文件并将其显示为用户的个人资料图片。
POST /upload_profile_from_url
Host: public.example.com
(POST request body)
user_id=1234&url=https://localhost/passwords.txtTwo main types of protection against SSRFs exist: blocklists and allowlists. Blocklists are lists of banned addresses. The server will block a request if it contains a blocklisted address as input. Because applications often need to fetch resources from a variety of internet sources, too many to explicitly allow, most applications use this method. Companies blocklist internal network addresses and reject any request that redirects to those addresses.
防止 SSRF 的两种主要保护类型:封锁列表和白名单。封锁列表是被禁止的地址列表。如果请求包含封锁列表中的地址作为输入,服务器将阻止该请求。由于应用程序通常需要从各种互联网源获取资源,这些源太多了以至于无法明确允许它们,因此大多数应用程序使用此方法。公司会封锁内部网络地址并拒绝任何重定向到这些地址的请求。
On the other hand, when a site implements allowlist protection, the server allows only requests that contain URLs found in a predetermined list and rejects all other requests. Some servers also protect against SSRFs by requiring special headers or secret tokens in internal requests.
另一方面,当一个站点实施白名单保护时,服务器仅允许包含预定列表中的 URL 的请求,并拒绝所有其他请求。一些服务器还通过要求内部请求中包含特殊标头或秘密令牌来防止 SSRF。
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论