Your Business Critical Applications Are Vulnerable To SSRF Attacks

What Are Business Critical Systems And What Is An SSRF Attack?

Modern businesses run on business application infrastructure, with typical modules such as Enterprise Resource Planning or ERP, Customer Relationship Management or CRM and Supplier Relationship Management or SRM. These systems hold data related to personnel, financial and other sensitive information critical to the operation of the enterprise. Moreover, these systems are often connected to the Supervisory Control and Data Acquisition systems (SCADA) and/or banking client workstations.

Server Side Request Forgery or SSRF is an attack on existing vulnerability of the business application infrastructure. Attackers use a victim server interface that can send a packet to another host on another port and can be accessed remotely without authentication.

What Happens During An SSRF Attack?

Business-critical systems are usually located in a secure subnetwork secured by firewalls and monitored by Intrusion Detection Systems, regularly patched for their vulnerabilities.

The ERP and other networks are usually separated from the corporate networks by a firewall. In turn, the corporate networks are protected from the Internet and cloud systems by another firewall. However, insecure systems have vulnerabilities existing between the corporate network and the ERP network, which attackers exploit.

During an SSRF attack, a compromised server sends a packet to a service, which then encloses another packet within the original packet and forwards it to another service. It is much like sending a forged letter hidden inside another letter. Much depends on how much the attacker can manipulate the contents of the second packet and that constitutes different types of SSRF attacks. There are typically two types of SSRF attacks: Trusted and Remote.

The trusted SSRF attacks can usually send forged packets or forged requests to predefined services. Remote SSRF attacks involve forged requests to any remote port or IP.

Trusted SSRF attacks are very stealthy, as most of the systems across the enterprise are linked through the secure sub network, and the behavior of the requests looks very normal. However, these attacks are somewhat difficult to make because they need an existing link and credentials such as usernames and passwords.

On the other hand, remote SSRF attacks are possible from a trusted source to any host and any port, even if the source cannot connect to the remote hosts directly. Attackers scan the remote hosts for open ports and IP addresses. If authentication is not required, it is possible to scan an internal network from the Internet. Remote SSRF threats can:

•Exploit Operating System and Data Base vulnerabilities •Exploit the vulnerabilities of old ERP applications •Bypass the security restrictions of ERP •Exploit existing vulnerabilities in ERP local services

Why Is An SSRF Attack Critical To The Enterprise?

The company's critical information is stored in its ERP and this makes the attack on the ERP system very lucrative to a competitor, an industrial spy or a cybercriminal. The critical information may include intellectual property, information on public or customer relations, personally identifiable information and most importantly, financial data.

According to james scott princeton corporate solutions a business can suffer a significant amount of damage if the ERP system is compromised due to insider embezzlement, fraud, sabotage or industrial espionage.

How to Prevent SSRF Attacks

Most business critical systems require close collaborations with the vendor to close the vulnerabilities allowing SSRF attacks. Regular patching and use of continuous monitoring systems along with vulnerability assessment systems will help. It is preferable to use systems that can expose zero-day vulnerabilities.

Let application security experts assess the business critical systems and monitor the systems with automated solutions such as ERPScan Security Scanner. The scanner can identify misconfigurations, vulnerabilities, and many other issues.

References:

1. Polyakov, A., SSRF vs. Business critical applications. Available from: <http://media.blackhat.com/bh-us-12/Briefings/Polyakov/BH_US_12_Polyakov_SSRF_Business_WP.pdf>. [?].

Comments? Questions? Email Here

© HowtoAdvice.com

How to Advice .com