Piercing the Veil: Server Side Request Forgery attacks on Internal Networks.
2019-10-24, 13:15–14:00, Europe

I demonstrate a successful attack on a cloud-based US Defense website, gaining access to a sensitive internal network, enumeration of internal services, out of bands data leakage and attack vectors unique to cloud architecture. Additionally I will discuss mitigation points for server side request forgery, how this type of vulnerability can manifest, what this type of attack is, and how I'm able to legally hack the Department Of U.S Defense.

Server-side request forgery (SSRF) attacks abuse poorly secured requests made on the server-side; these requests appear in many circumstances, from getting a user's avatar to pinging a third-party webhook. SSRF attacks hijack these HTTP requests, allowing an attacker to exploit the application to route URL/IP requests and subsequently probe or access sensitive networks.

Unsurprisingly, this can lead to serious breaches of security: exfiltration of secret keys, spoofing of email, and, ultimately, an entry point into an otherwise secure system. On cloud systems, SSRF gives the attacker a way to query for metadata which can reveal security credentials, or access tokens to the instance. Different cloud providers offer different safeguards; likewise they may make the threat far less clear than others do!

In this case study, I'll describe how, as part of a recent U.S. Department of Defense vulnerability disclosure program, I gained access to the Non-Classified Internet Protocol Router Network (NIPRNET). We'll look at the SSRF techniques that I used to access AWS metadata and reveal sensitive information about cloud instances. I'll also talk about some techniques for protection against SSRF - input validation, compartmentalized services, access control, and security policies.