Discover, assess, and migrate on-premises applications, infrastructure, and data. Centrally plan and track the migration across multiple Microsoft and partner tools. Comprehensive discovery, assessment, and migration capabilities powered by Azure and partner tools.
A comprehensive approach to migrating your application and datacenter estate. Holistic across VMware, Hyper-V, physical server, and cloud-to-cloud migration. A guided experience and progress dashboard walks through discovery, assessment, and migration phases for different business areas in one central data repository.
Make the best migration decisions with built-in insights and recommendations. Take advantage of free Azure tools with features like discovery and readiness, cost estimation, app dependency visualization, and both agent-based and agentless assessment and migration, or choose from a collection of integrated partner tools for additional capabilities. Azure Migrate and Azure tooling is available with your Azure subscription.
However, you may incur charges if you choose to use partner tools for additional capabilities. Sign up for an Azure account and save costs with Microsoft deals. Learn how to use Azure Migrate and optimize your migration with documentation and best practices.
Perform an assessment and start your migration project. Home Products Azure Migrate.
An SSRF, privileged AWS keys and the Capital One breach
A central hub to discover, assess, and migrate workloads to Azure. Get started. New to Azure?Hacker101 - SSRF
Create an Azure account. Simplify your migration journey. Centralized migration repository delivering end-to-end tracking and insights. Included in your Azure subscription — no additional licensing costs required. Multiple Scenarios A comprehensive approach to migrating your application and datacenter estate. End-to-end visibility A guided experience and progress dashboard walks through discovery, assessment, and migration phases for different business areas in one central data repository.
Diverse Capabilities Take advantage of free Azure tools with features like discovery and readiness, cost estimation, app dependency visualization, and both agent-based and agentless assessment and migration, or choose from a collection of integrated partner tools for additional capabilities.
Check out Azure migration center for resources, guidance, and programs for your migration journey. Why trust Azure for security? Microsoft invests more than USD 1 billion annually on cybersecurity research and development. We employ more than 3, security experts completely dedicated to your data security and privacy.This post attempts to explain the technical side of how the Capital One breach occurred, the impact of the breach and what you can do as a user of cloud services to prevent this from happening to you.
Updated 3rd December — Please note: AWS released an additional security defences against the attack mentioned in this blog post. On July 29th, Capital One Financial Corporation announced that they had determined there was unauthorised access by an outside individual who obtained certain types of personal information relating to people who had applied for its credit card products and to Capital One credit card customers.
This event affected approximately million individuals in the United States and approximately 6 million in Canada. The hacker gained access to data that included approximatelySocial Security numbers and approximately 80, bank account numbers on U. The following is reconstruction of the attack and technical walk-through of what happened as uncovered in the investigation of this attack. There is evidence that the application that was targeted was behind a Web Application Firewall ModSecurity but either a bypass was used or the WAF was not configured to block attacks logging mode.
The keys essentially allowed the attacker to list and sync the S3 buckets to a local disk thereby providing access to all the data contained in them. In the security industry, amongst security researchers and bug bounty hunters, SSRF or Server Side Request Forgery is an extremely lucrative bug, especially when the infrastructure being targeted is on the cloud. So basically for an application or a service, if it accepts a URL, IP address or hostname from where it is supposed to go fetch data from, and you control this input, this could potentially be vulnerable to SSRF.
Hackerone has a nice article to explain this in more detail. This endpoint is accessible only from the machine itself. So you would need to be inside a shell environment on the machine to be run a curl or a wget for example to access the metadata endpoint.
This is true for a service or a program running on the machine as well. Interestingly, an important piece of information that can be pulled from the instance metadata service are credentials for a IAM Role that may have been attached to the instance.
It appears that this role had excessive privileges allowing the listing and access to S3 storage. This privilege was used to list the buckets and download them locally. From the complaint filed with the Department of Justice and the attackers Slack channel and Twitterit is evident that the following was the sequence of events. A sample output of what is visible when the AWS credentials for an attached IAM role are requested via the instance metadata is shown below.
Gaining access to the data in S3.The Azure Instance Metadata Service IMDS provides information about currently running virtual machine instances and can be used to manage and configure your virtual machines. Information provided includes the SKU, network configuration, and upcoming maintenance events. For a complete list of the data that is available, see metadata APIs.
The endpoint is available at a well-known non-routable IP address This service is generally available in all Azure Regions. It regularly receives updates to expose new information about virtual machine instances. This page reflects the up-to-date metadata APIs available. The service is available in generally available Azure regions. You can see the newest versions listed in this availability table.
As newer versions are added, older versions can still be accessed for compatibility if your scripts have dependencies on specific data formats. When you query the Instance Metadata Service, you must provide the header Metadata: true to ensure the request was not unintentionally redirected. Access all data categories for a virtual machine instance using the following request:. However, different APIs return data in different formats if requested. The following table is a reference of other data formats APIs may support.
To access a non-default response format, specify the requested format as a query string parameter in the request. For example:. The Instance Metadata Service endpoint is accessible only from within the running virtual machine instance on a non-routable IP address. In addition, any request with a X-Forwarded-For header is rejected by the service. Requests must also contain a Metadata: true header to ensure that the actual request was directly intended and not a part of unintentional redirection.
All following example responses are pretty-printed for readability. Part of the scenario served by Instance Metadata Service is to provide guarantees that the data provided is coming from Azure. We sign part of this information so that marketplace images can be sure that it's their image running on Azure. The following example responses are pretty-printed for readability. Api-version is a mandatory field. Refer to the service availability section for supported API versions.
Nonce is an optional digit string.
Due to IMDS's caching mechanism, a previously cached nonce value may be returned. The signature blob is a pkcs7 signed version of document.
It contains the certificate used for signing along with the VM details like vmId, sku, nonce, subscriptionId, timeStamp for creation and expiry of the document and the plan information about the image. The plan information is only populated for Azure Market place images. The certificate can be extracted from the response and used to validate that the response is valid and is coming from Azure.
The response is a JSON string.Web applications can trigger requests in between HTTP servers. These are typically used to fetch remote resources such as software updates, or to import meta data from a URL or another web application.
While such inter-server requests are typically safe, unless implemented correctly they can render the server vulnerable to Server Side Request Forgery. In a SSRF attack the attacker can change a parameter used on the web application to create or control requests from the vulnerable server. When information in a web application has to be retrieved from an external resource, which could also be internal services, such as a RSS feed from another website, server side requests are used to fetch the resource and include it in the web application.
If the attacker is able to change the url parameter to localhostthen he is able to view local resources hosted on the server, making it vulnerable to Server Side Request Forgery. If an attacker is able to control the destination of the server side requests they can potentially perform the following actions:. As a best practice, it is always good to keep the attack surface as small as possible, therefore access to certain ports or actions is often restricted to whitelisted machines only.
In fact servers usually have a trust relationship with other machines in order to easily share data and allow administrative tasks. For example at a network level, this trust means a firewall only allows access to certain ports if the machine requesting access is on the same local network, or if its IP address is explicitly trusted.
At a software level trust can be as follows; authentication is not required for some administrative tasks, as long as the IP is Such trust can also be used as an additional security measure, to assure that even if an attacker knows the password, he cannot login without access to the local network. The attacker can therefore perform malicious actions on the server itself that would otherwise not be possible from the outside. By exploiting a Server Side Request Forgery vulnerability, attackers may be able to scan the local or external networks to which the vulnerable server is connected to.
Attackers typically use the time a page takes to load, error message, or banners of the service they are probing to determine whether the probe they are targeting is responding or not, and to confirm if the tested port is open. Imagine a service on a website that allows you to fetch remote jpeg images so it can determine their dimensions. Now that we know how the application behaves for different inputs we can try to abuse it.
That means that if we send the following request. Therefore we can use this method on the vulnerable web application to probe different internal IP addresses and ports to make a complete scan. So the attacker is doing port scans without using port scanning software.
When the content of a remote resource is directly rendered to a page, there is a possibility that the attackers reads the content of the files. As an example consider a web service that removes all images from a given url and formats the text. It works by first getting the response body of a given url, then applies the formatting.
The same technique can be used to view the source code of the vulnerable web application. As seen in the above examples, the impact of exploiting a Server Side Request Forgery vulnerability is almost always information disclosure, such as:. There are several other things attackers can do when exploiting a SSRF vulnerability, some of which can have more severe consequences, but it mainly depends on how the web application uses the responses from the remote resource.
To prevent SSRF vulnerabilities in your web applications it is strongly advised to use a whitelist of allowed domains and protocols from where the web server can fetch remote resources. Also, as a rule of thumb you should avoid using user input directly in functions that can make requests on behalf of the server.Server Side Request Forgery can be an extremely lucrative finding to an attacker because of the ability to make requests from the target machine.
For AWS this has always been a cause for concern as there was no authentication present to access this instance, and no requirement for a custom header that both GCP and Azure have. An attacker could then impersonate the role attached to the machine using the temporary credentials and do additional discovery or damage. With the introduction of the version 2 of the Instance Metadata by AWS, authentication is now a requirement to query the endpoint.
IMDSv2 adds the following exploit mitigating changes to access the endpoint. This is a fairly new update. As with any new feature that is introduced after a long interval, the adoption rate is going to be slow. Infra and ops teams that rely on automated scripts to perform actions on AWS EC2 instances based on metadata information will need to update their scripts, add provision to make PUT requests, use the tokens in ALL other requests etc.
So, yeah lot of work is needed for everyone to start using this. This update does not protect applications that are vulnerable to more advanced forms of SSRF. A web application or a network aware service that allows you to craft a complete HTTP request and then makes that request on your behalf from the server, will still be vulnerable. Common examples would be API proxying applications, API query builders with API console access think old Apigee daysweb functionality with command argument or vanilla command injection would still be vulnerable.
Any other vulnerabilities that allow for a complete control of the HTTP request to be made would still go through. The scenarios are plenty, limited only by our imagination. That said, it is important to note that this is a new feature, is not enabled by default and will likely not be used in systems where a lot of dependency is present on version 1.
At Appsecco we provide advice, testing and training around software, infra, web and mobile apps, especially that are cloud hosted. Drop us an email, contact appsecco. Sign in. Riyaz Walikar Follow. Appsecco Making sense of application security for everyone. Chief Offensive Security Officer, Appseccouk. Appsecco Follow. Write the first response.
Attacking Cloud Containers Using SSRF
More From Medium. More on Pentesting from Appsecco. Riddhi Shree in Appsecco. More on Application Security from Appsecco. Riyaz Walikar in Appsecco. Pankaj Mouriya in Appsecco. Discover Medium. Make Medium yours. Become a member. About Help Legal.Comment 0.
Server-Side Request Forgery SSRF refers to an attack wherein an attacker is able to send a crafted request from a vulnerable web application. SSRF is usually used to target internal systems behind firewalls that are normally inaccessible to an attacker from the external network. Typically Server-Side Request Forgery SSRF occurs when a web application is making a request, where an attacker has full or partial control of the request that is being sent.
A common example is when an attacker can control all or part of the URL to which the web application makes a request to some third-party service. In the above example, since the attacker has full control of the URL parameter, in addition to being able to make arbitrary GET requests to any website on the Internet, an attacker can also make requests to resources on the server.
Similarly, Server-Side Request Forgery SSRF can be used to make requests to other internal resources which the web server has access to, but are not publicly facing. This service is only available to the server and not to the outside world. Depending on how the application is making the request, URL schemas other than file and HTTP could be available to the attacker to use.
Port is the default port used by Memcachedwhich is not normally exposed. Acunetix solves this by making use of AcuMonitor as its intermediary service during an automated scan. The alert contains information about the HTTP request that was performed including the IP address of the server that made this request and the User-agent string used in the request if any were used.
This information can help the developers identify the source of the problem and fix it. In general, blacklists are a poor security control because there will always be bypasses not envisaged by a developer. Ensuring that the response received by the remote server is indeed what the server is expecting is important to prevent any unforeseen response data leaking to the attacker.
Above all else, under no circumstances should the raw response body from the request sent by the server be delivered to the client. Server-Side Request Forgery vulnerabilities could provide an attacker with the opportunity to access some of these services without any authentication standing in the way.
See the original article here. Over a million developers have joined DZone.
Let's be friends:. DZone 's Guide to. SSRF attacks are no fun and need to be accounted for in any web-facing application. In this post we take a look at what they are and what you can do to help prevent them.
Free Resource. Like 2. Join the DZone community and get the full member experience. Join For Free. Response Handling Ensuring that the response received by the remote server is indeed what the server is expecting is important to prevent any unforeseen response data leaking to the attacker.
Like This Article?Server Side Request Forgery SSRF vulnerabilities let an attacker send crafted requests from the back-end server of a vulnerable web application. Criminals usually use SSRF attacks to target internal systems that are behind firewalls and are not accessible from the external network.
An attacker may also leverage SSRF to access services available through the loopback interface SSRF vulnerabilities occur when an attacker has full or partial control of the request sent by the web application.
A common example is when an attacker can control the third-party service URL to which the web application makes a request. In the above example, the attacker has full control of the url parameter. They can make arbitrary GET requests to any website on the Internet and to resources on the server localhost. Attackers can also use SSRF to make requests to other internal resources that the web server has access to, which are not publicly available.
Some applications may enable attackers to use more exotic URL schemas. The above request will cause the application to connect to localhost on port and send the string stat. Port is the default port used by Memcachedwhich is not normally exposed. To automatically detect Server Side Request Forgery, you need to rely on an intermediary service.
Detection of such vulnerabilities requires an out-of-band and time-delay vector. Acunetix solves this by using AcuMonitor as the intermediary service. The alert contains information about the HTTP request. It includes the IP address of the server that made the request and the User-Agent string used in the request if any.
This information can help developers identify the source of the problem and fix it. Simple blacklists and regular expressions applied to user input are a bad approach to mitigating SSRF. In general, blacklists are a poor means of security control. Attackers will always find methods to bypass them.
However, in the case of a blacklist, the correct mitigation to adopt will vary from application to application. In other words, there is no universal fix to SSRF because it highly depends on application functionality and business requirements.