Skip to content

In the realm of contemporary of Modern web applications, the prevalent architectural framework of choice often takes the form of microservices architecture. In this context, what appears to be a unified front-end application is essentially an amalgamation of numerous small, distinct micro-services on the back end, interconnected through a reverse proxy mechanism. Consider, for instance, the scenario where you access a specific path like ‘/api/usermanager/111/email.’The application assesses this path and determines that it should be directed to the user management microservice, subject to proper authorization checks.

You have a Server-Side Request Forgery (SSRF) due to the path of the HTTP request ultimately reaching the internal backend server. Indeed, the resemblance is striking. It’s possible to initiate a redirect or manipulate the host on this internal server, the door to an SSRF vulnerability.

Nonetheless, an alternative attack vector is worth considering. Sending a request ‘/api/usermanager/111%2f..%2f111/email,’ resulting in the request reaching the backend server as ‘https://usermanagement.internal/user/111/../111/email‘. The system’s response to this request would be identical, essentially demonstrating the ability to traverse the backend server’s directory structure. This breach paves the way for exploiting the admin API key in use, potentially leading to data leakage and a security breach of considerable magnitude.

Example:

To find user data:

  • /api/usermanager/111..%2f..%2fusers%3f/email
  • https://usermanagement.internal/user/111/../../users?/email 

To Find IDORS:

  • /api/usermanager/111%2f..%2f112/email 
  • https://usermanagement.internal/user/111/../112/email 

Mitigation and Prevention

Possibly the most effective way to prevent server-side request forgery (SSRF)  or IDORS 

  • Whitelisting Input Validation: Creating an allow list of hostnames (DNS names) or IP addresses the application needs to access.
  • Implementing Authentication on Internal Services: Enabling authentication for all services between the internal microservices.
  • Managing Application Routing: Response handling and verifying the response from a URL call and ensure that it is within expected bounds
  •  Web Application Firewalls: Implementing additional preventive protections in the form of a tuned web application firewall.

Conclusion:

Even with the advancement in web technology more web applications tend to show very strange interactions between different servers within the stack. Understand the application routing methods and following best practices for prevention and mitigation from these secondary context attacks. 

By: FireCompass Delivery Team – M Mohamed Swalih Moopen, Arnab Chattopadhayay , Amit Da, Joy Sen

About FireCompass:

FireCompass is a SaaS platform for Continuous Automated Pen Testing, Red Teaming  and External Attack Surface Management (EASM). FireCompass continuously indexes and monitors the deep, dark and surface webs using nation-state grade reconnaissance techniques. The platform automatically discovers an organization’s digital attack surface and launches multi-stage safe attacks, mimicking a real attacker, to help identify breach and attack paths that are otherwise missed out by conventional tools.

Feel free to get in touch with us to get a better view of your attack surface.

Important Resources: