抵御SSRF攻击(在我们的错误赏金计划的帮助下)。
Over the past few years, server-side request forgery (SSRF) has received an increasing amount of attention from security researchers. With SSRF, an attacker can retarget a request to internal services and exploit the implicit trust within the network. It often escalates into a critical vulnerability, and in 2021 it was among the top ten web application security risks identified by the Open Web Application Security Project. At Dropbox, it’s the Application Security team’s responsibility to guard against and address SSRF in a scalable manner, so that our engineers can deliver products securely and with as little friction as possible.
在过去的几年里,服务器端请求伪造(SSRF)得到了安全研究人员越来越多的关注。通过SSRF,攻击者可以将请求重定向到内部服务,并利用网络内的隐性信任。它经常升级为一个关键的漏洞,2021年,它是开放网络应用安全项目确定的十大网络应用安全风险之一。在Dropbox,应用安全团队的责任是以可扩展的方式防范和解决SSRF,以便我们的工程师能够安全地交付产品,并尽可能减少摩擦。
On February 19, 2021, HackerOne user Kumar Saurabh reported a critical SSRF vulnerability to us through our bug bounty program. With this vulnerability, an attacker could make an HTTP GET request to internal endpoints within the production environment and read the response. After reproducing the vulnerability, we immediately declared an internal security incident, worked on a quick fix to close the hole, and pushed the fix to production in around eight hours. (We have no reason to believe this vulnerability was ever actively exploited, and no user data was at risk.)
2021年2月19日,HackerOne用户Kumar Saurabh通过我们的漏洞赏金计划向我们报告了一个关键的SSRF漏洞。利用这个漏洞,攻击者可以向生产环境中的内部端点发出HTTP GET请求,并读取响应。在重现该漏洞后,我们立即宣布了一个 内部安全事件,致力于快速修复以关闭该漏洞,并在大约8小时内将该修复推送到生产中。(我们没有理由相信这个漏洞曾经被积极利用过,也没有用户数据处于危险之中)。
Since most of our internal services speak gRPC, a modern RPC framework with built-in authentication mechanisms, communication over plain GET is not possible. This means an attacker’s access would be limited. Even so, based on our research into the potential impact, we calculated the bounty to be worth $27,000.
由于我们的大多数内部服务都使用gRPC,这是一个具有内置认证机制的现代RPC框架,通过普通GET进行通信是不可能的。这意味着攻击者的访问将受到限制。即便如此,根据我们对潜在影响的研究,我们计算出的赏金价值为27,000美元。
In this blog post, we...