Data and Network Security

As part of the Data and Network Security course, this project focused on understanding, analyzing, and addressing modern web security threats, with a particular emphasis on Cross-Site Security and Server-Side Request Forgery (SSRF) Attacks. The project was conducted in two phases:

• Literature Analysis: A review and synthesis of existing research on Cross-Site Security and SSRF vulnerabilities.

• Final Report: A comprehensive report proposing a well-founded approach to tackling SSRF vulnerabilities.

Literature Analysis

The first phase of our project involved conducting a comprehensive literature analysis on the topic of Cross-Site Security. This phase required us to analyze and synthesize insights from two academic papers provided by our professor, as well as a third paper of our choosing on a related topic.

To provide a more comprehensive understanding, we selected Server-Side Request Forgery (SSRF) Prevention as the focus of the third paper. Since the first two papers primarily focused on the client-side aspect of Cross-Site Security, we wanted to expand our analysis to also address the server-side perspective. This approach allowed us to bridge the concepts from the first two papers and present a well-rounded view of key threats and mitigation strategies within the broader scope of Cross-Site Security.

The three analyzed papers were:

• SOMA: Mutual Approval for Included Content in Web Pages

• Large-scale Analysis & Detection of Authentication Cross-Site Request Forgeries

• Preventing Server-Side Request Forgery Attacks

Finally, we prepared and delivered a lecture on Cross-Site Security and SSRF Prevention for our classmates to present the key insights from the three analyzed papers. The lecture highlighted the differences between client-side and server-side security threats, providing a comprehensive overview of the challenges and mitigation strategies discussed in the literature.

The presentation used during the lecture is available for download:

Download Presentation.

Preventing Out-of-Band SSRF Vulnerabilities

The second phases of the project focused on addressing the growing threat of Server-Side Request Forgery (SSRF) attacks, with a particular emphasis on Out-of-Band (OOB) SSRF. While traditional solutions effectively address in-band SSRF attacks, OOB SSRF attacks remain more challenging to detect and prevent due to their indirect nature. Our goal was to analyze existing methods, identify their limitations, and propose an enhanced approach for robust protection against OOB SSRF threats.

Our proposed solution builds upon the existing use of reverse proxies and helper servers but introduces key improvements to strengthen security. The enhancements include:

• Advanced Redirection Handling: Improved logic to prevent attackers from exploiting redirection paths, such as open redirects or URL manipulations.

• Strict Destination Verification: Verifying the final destination of requests to ensure they are routed only to trusted endpoints, thereby preventing unauthorized access to internal systems.

• Content Verification: Analyzing the type and structure of request content to block access to sensitive resources (like cloud metadata endpoints) and filter out illegitimate requests.

To ensure the feasibility and effectiveness of our proposed solution, we designed a testing and evaluation framework. While we did not implement or test the solution directly, we proposed a method for future testing and validation. This framework outlines a controlled testing environment to simulate potential attack scenarios, along with methods to measure system performance and security robustness.

Our Final Report on SSRF Mitigation is available for download:

Download Report.

The report outlines our analysis of Server-Side Request Forgery (SSRF) attacks, highlights the limitations of existing mitigation methods, and presents our proposed approach for preventing Out-of-Band (OOB) SSRF threats