You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I think it would be a good idea to add some slides in the "for engineers" deck that talk about Server Side Request Forgery (SSRF). As more applications are built (or migrated) using public cloud providers like AWS, SSRF attacks on metadata APIs will become more prevalent.
Follow the principle of least privilege to contain the blast radius.
Don't blindly trust URLs from the client. Exercise caution when implementing URL unfurling logic or the like.
Ensure any data retrieved from an API has the expected format before sending it to the client or clients. e.g. If an image is expected, ensure that an image was retrieved.
For code that is meant to access public URLs, ensure it cannot access internal endpoints.
** Don't rely on regular expressions alone to filter out "bad IP addresses".
The text was updated successfully, but these errors were encountered:
I think it would be a good idea to add some slides in the "for engineers" deck that talk about Server Side Request Forgery (SSRF). As more applications are built (or migrated) using public cloud providers like AWS, SSRF attacks on metadata APIs will become more prevalent.
These are some resources on SSRF:
Takeaways for engineers:
** Don't rely on regular expressions alone to filter out "bad IP addresses".
The text was updated successfully, but these errors were encountered: