SSRF: Checking External IP

TL;DR

An attacker can use a Server-Side Request Forgery (SSRF) vulnerability to determine your server’s external IP address. This is done by making the server request an external service that returns its IP. You need to prevent SSRF and, if possible, limit outbound network access from your server.

How Attackers Do It

SSRF happens when a web application lets users control where it makes HTTP requests. If not secured properly, an attacker can make the server request internal or external resources. Here’s how they check the external IP:

Steps to Prevent External IP Checks via SSRF

1. Understand the Vulnerability: SSRF allows attackers to send requests *from* your server. This means if your server can access the internet, an attacker might be able to use it as a proxy.
2. Input Validation & Sanitisation: The most important step is to validate and sanitise any user-supplied input used in HTTP requests.
   • Whitelist Allowed Domains/IPs: Only allow requests to specific, trusted domains or IP addresses. This is the strongest defence.
   • Blacklist Dangerous Schemes: Block schemes like file://, gopher://, and ftp:// which can be used for internal access.
   • Regular Expression Filtering: Use a strict regular expression to validate URLs. Avoid allowing characters that could bypass filters (e.g., URL encoding).
3. Network Restrictions: Limit your server’s outbound network access.
   • Firewall Rules: Configure firewalls to only allow connections to necessary external services.
   • Proxy Server: Route all outbound requests through a proxy server and restrict its access.
4. Disable Unnecessary Protocols: Disable any protocols your application doesn’t need (e.g., FTP, Gopher).
5. Response Handling: Be careful how you handle responses from external services.
   • Don’t Display Raw Responses: Never directly display the raw output of an external request to the user. This could reveal sensitive information.
   • Parse and Validate Data: If you need data from an external service, parse it carefully and validate it before using it in your application.
6. Example Code (Python – Illustrative):

   import requests
   
   trusted_domains = ['example.com', 'api.trustedservice.net']
   def make_request(url):
     if url not in trusted_domains:
       return "Error: Domain not allowed"
     try:
       response = requests.get(url)
       response.raise_for_status() # Raise HTTPError for bad responses (4xx or 5xx)
       return response.text
     except requests.exceptions.RequestException as e:
       return f"Error: {e}"
   # Example usage
   user_url = input("Enter URL:")
   result = make_request(user_url)
   print(result)

7. Common SSRF Payloads to Watch For:
   • http://checkip.amazonaws.com (Returns the server’s external IP address in plain text.)
   • http://ifconfig.me (Another service that returns the server’s external IP.)
   • http://icanhazmyip.com (Similar to checkip.amazonaws.com)
   • Internal IPs: Attackers may try accessing internal services like databases or admin panels using private IP addresses.

Further Security Considerations

Regularly scan your applications for SSRF vulnerabilities and keep your dependencies up to date. Consider using a Web Application Firewall (WAF) with built-in SSRF protection.