2

I'm reading now about SSRF attacks, and many articles "SSRF is an attack" and others said "it's a vulnerability." Which is correct?

schroeder
  • 123,438
  • 55
  • 284
  • 319
just4learn2
  • 21
  • 1
  • 1
    I added the `ssrf` tag to your question. The description of the tag will probably answer your question. It's both. – schroeder Feb 02 '19 at 13:02
  • I disagree, I see it as an attack. For me, "detecting SSRF" has a different meaning than "detecting a system is vulnerable to SSRF". I don't think forgery is a vulnerability, forgeability is. – J.A.K. Feb 02 '19 at 19:52

1 Answers1

1

Let's begin by expanding the acronym: Server Side Request Forgery (SSFR).

It is nicely explained on this Acunetix page with detail (including vulnerable code and examples). They consider it an attack. OWASP also classifies it as an attack.

Now, the source of the confusion on whether something should be termed an attack or a vulnerability is that generally those go in pairs, and we talk about them very loosely. So we could both say:

  • Mallory performed a ssrf and dumped the password hashes.
  • There is a ssrf on this application that we need to fix

The first refers to a ssrf attack while the second to a ssrf vulnerability. This is common, you can swap SSRF with SQLi above and have the same result.¹ Actually, for every foo attack, you could refer to a corresponding foo vulnerability that would be defined as foo attack would work. The context disambiguates them on every case, so we go on doing that, even if it's not the most purist way to phrase it.

But simplifications aside, I would consider SSRF to be an attack. This is a Forgery, so it is actually an attack.

As described by OWASP:

Attacks are the techniques that attackers use to exploit the vulnerabilities in applications. Attacks are often confused with vulnerabilities, so please try to be sure that the attack you are describing is something that an attacker would do, rather than a weakness in an application.

Even though we would talk about a SSRF vulnerability, strictly it is being vulnerable to a SSRF attack. The vulnerability itself would be a lack of validation. Of course, how exactly we categorize it will depend on the exact definitions we use for both attack and vulnerability.

According to CISSP a vulnerability is

The absence or weakness of a safeguard in an asset that makes a threat potentially more likely to occur, or likely to occur more frequently.

ISO/IEC TS 17961 C Secure Coding Rules defines it a

set of conditions that allows an attacker to violate an explicit or implicit security policy

MITRE says

A "vulnerability" is a weakness in the computational logic (e.g., code) found in software and some hardware components (e.g., firmware) that, when exploited, results in a negative impact to confidentiality, integrity, OR availability.

We need some stretching to fit the “SSRF vulnerability” into these definitions, as it is not a weakness, but the consequence of the weakness: a SSRF attack would work.

Thus, SSRF is the name of an attack, not a vulnerability, and sensu stricto we should talk about being vulnerable to a SSRF attack, not having a SSRF vulnerability.

­

¹ In fact, we have an exact duplicate of this question but referring to XSS instead of SSRF: Is XSS a vulnerability or an attack?

Ángel
  • 17,578
  • 3
  • 25
  • 60