SSRF vulnerabilities can be extremely damaging
Cloud-native applications are at especially high risk from the SSRF vulnerability category. This is mainly because they enable an attacker to set arbitrary headers in the outgoing request, and also because it allows the attacker to read the response.
For example, if the server is hosted in the Google Cloud Platform, an API access token could be leaked by forging a request to:
http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token
Mitigation
SSRF attacks like the one described above can be mitigated by disallowing the HTTP request handler to follow redirects. It makes sense to validate the value of the Location header of the response and create a new request after it has been validated. This would also protect against Open Redirect vulnerabilities.
The XSS attack described above has been fixed by removing the code that transformed the form tag altogether.
Download and install the following recommended patches
- Patch 18 of the 8.8.15 series
- Patch 16 of the 9.0 series
There were some issues with previous versions of these patches that have since been repaired.