Server-Side Request Forgery (SSRF) is a type of cyber attack in which an attacker tricks a server into requesting a different server or resource on behalf of the attacker. This can be used to gain unauthorized access to internal systems, steal sensitive information, or launch other attacks.
The attack is typically carried out by injecting a malicious URL or another request into a vulnerable application, which then sends the request to the targeted server or resource. The attacker can use this technique to bypass firewalls and other security measures that are in place to protect internal systems and resources.
Azure Application Gateway is a web traffic load balancer and application delivery controller service provided by Microsoft through its Azure platform. It enables users to manage and scale their web applications by distributing incoming web traffic across multiple servers and resources. Application Gateway provides several features, such as Load balancing: and distributing incoming web traffic across multiple servers based on various algorithms. SSL/TLS termination: offloads SSL/TLS encryption and decryption from the backend servers. Web Application Firewall (WAF): protects against common web-based attacks such as SSRF, SQL injection and cross-site scripting (XSS).
It can be used for various purposes, such as: Scaling web applications to handle large amounts of traffic. Offloading SSL/TLS encryption and decryption from the backend servers. Providing a layer of protection against common web-based attacks, etc.
Step 1: Navigate to the registration page where the User can create a new account.
Step 2: Fill in the details and click the "Register" button.
Step 3: Now log in using the new credentials.
Step 4: Click on the Newpost tab from the navigation tab.
Step 5: Open the inspect element and enter the below-given payload.
file:///etc/passwd
Step 6: Click on Upload, and you will see a response; click it as shown in the image.
Copy the URL from the Response tab.
Open the copied URL, and you will get a downloadable png file. Download the png file.
Now open the png file using the text editor.
We can read the passwd file. So, this web app is vulnerable to SSRF attack.
Step 7: Let's prevent the SSRF attack. Open the portal and click on Create, as shown in the image.
Step 8: Search for application gateway.
Click on Create.
Step 9: Enter the following and click on create new to create a virtual network as shown in the image.
Step 10: Create the virtual network.
Once everything is done as shown in the image, go to Frontend.
Step 11: Frontend Ip type: Public and add new Public IP address as shown in image.
Once everything is done as shown in the image, click on Backend.
Step 12 Click on Add backend pool.
Choose Target Type: App Services
Target: xxxxxx-function
And click on Add.
Next, click on Configuration.
Step 13: Add a routing rule.
Fill in the following as shown in the image.
Step 14: Protocol: HTTPS, upload the certificate and click on Backend target.
Note: If you don't have a certificate, you can create a self-signed certificate; to do that, go to the Appendix section at the bottom.
In the backend targets, click on Add new
Give it a name, Override backend path: /, choose Yes for Override with hostname and click on pick hostname from backend target. And click on Add button as shown in the image.
Again click on Add.
Step 15: Now, goto Review+Create.
Click on Create.
The creation takes approx 20minutes-25minutes.
Once the resource is deployed then, click on Go to Resource Group.
Step 16: Open created gateway resource.
Copy the IP address.
Open the text editor and paste it. Separate them and add https:// in the front and / at the back to the both IP address and DNS name, as shown in the image.
Step 17: Copy the DNS URL
Open DNS name URL in the Browser and click on Continue, as shown in the image.
Note: The connection is not secured because the certificate is self-signed and not recognized by Microsoft.
Now you will get the following as shown in the image.
Step 18: Click on Web application firewall and click on Rules
Click on Enabled for Advanced rule configuration. The Gateway will block all the enabled rules.
Search for the header, disable them and Click on Save, as shown in the image.
It takes 5-7 minutes to update the settings.
Note: If we don't disable the header rules, we cannot input https-related urls in our web application. We are inputting the image URL in our web application.
Step 19: Go to the Storage account and click on the prod-appxxxxxx container.
Step 20: Follow the path to open the .js file as shown in the image.
Step 21: Download the file.
Step 22: Now open the function app: appazgoatxxxxxxx-function.
Copy the URL.
Step 23: Open the downloaded file and search for the copied URL.
Remove the copied URL and paste the DNS URL in place of it. You can refer to Step 17.
Save the file.
Step 24: We will update the .js file with the edited .js file. Click on Override and upload.
Step 25: Back to our Web app and refresh the page.
Step 26: Enter the payload as shown in the image.
file:///etc/passwd
Step 27: Click on Upload button. And now you will see both responses are errors.
Double-click on the first response.
You will see an Access denied error.
mitigated the ssrf attack using application gateway.
Step 1: If you have windows server 2016, you may skip till Step 6. Open the marketplace and search for a Virtual machine.
Step 2: Fill the following:
Image: Windows Server 2016,
Choose your Username and Password,
Click on Review+Create.
Step 3: Click on Create .
Step 4: Creation takes 3-4 minutes.
Step 5: Click on Connect and Download the RDF file.
Step 6: Enter the credentials to log in.
Step 7: Open the powershell.
Execute the following command.
New-SelfSignedCertificate `
-certstorelocation cert:\localmachine\my `
-dnsname www.contoso.com
Step 8: Copy the Thumbprint.
Step 9: Paste the Thumbprint in the below given command:
$pwd = ConvertTo-SecureString -String "Azure123456!" -Force -AsPlainText
Export-PfxCertificate `
-cert cert:\localMachine\my\PASTE_YOUR_THUMBPRINT `
-FilePath c:\appgwcert.pfx `
-Password $pwd
Run the command.
And you will see the following output.
The .pfx certificate is found in C:\ drive
