Server-side request forgerySSRF2019 6 min read

What was Capital One?

A misconfiguration let an attacker make the server fetch a URL of their choosing. They pointed it at the cloud metadata endpoint. It handed back credentials, and those credentials opened more than 100 million records.

100M+
records exposed
1
server-side request forgery flaw
Metadata
credentials, read straight from the cloud
~4 months
between access and detection

What happened

In 2019 an attacker reached a Capital One server that could be tricked into making outbound requests on their behalf. That is server-side request forgery: you ask the application to fetch something, and it does, from where it sits inside the network.

The attacker asked it to fetch the cloud metadata endpoint, a special internal address that hands out temporary credentials to the machine. With those credentials, they read storage buckets full of customer data.

How SSRF reached the keys

Inside most cloud environments there is a metadata address that returns the running instance's credentials. It exists for convenience. It is also a prize, because anything that can make the server request that address can read its keys.

The app had no business fetching that URL, but nothing stopped it. One forged request turned a web flaw into cloud credentials, and credentials turned into the whole dataset.

The forged request the server should never have made
GET http://169.254.169.254/latest/meta-data/iam/security-credentials/role

// returns temporary access keys for the instance,
// which then unlock the data storage.

Why one request chained to everything

SSRF on its own can look minor. It becomes a disaster when the place it can reach holds credentials, and in the cloud that place is one well-known address away.

The lesson stuck: lock down the metadata service, and never assume that because a request comes from your own server it is safe.

How it unfolded

  1. Mar 2019
    The attacker gains access through the SSRF flaw and reads cloud credentials.
  2. Mar to Jul 2019
    Customer data is copied out of cloud storage.
  3. Jul 2019
    A tip-off leads to discovery and an arrest. The breach goes public.
Where buggy.run fits

SSRF is invisible in the page. You only catch it by watching where a request actually goes after you send it.

buggy.run captures the real traffic your app generates, so a request that makes your server reach an internal address it should never touch is exactly what it is looking for.

What to take away

  • Lock down the cloud metadata service. Require the hardened version and block app access to it.
  • Validate and restrict every outbound request your app can make.
  • Give app roles the least privilege they can do their job with.
  • Alert on outbound traffic to internal addresses that no feature needs.

Find your unnoticed bug before someone else does.

buggy.run signs in, captures your real traffic, and hunts the quiet flaws that scanners miss. You get every finding in plain English with the fix.