HackerOne recently hosted AWS and a panel of expert ethical hackers to discuss how Server-Side Request Forgery (SSRF) vulnerabilities and cloud misconfiguration are ripe environments for hackers to discover vulnerabilities and improve their skills. In addition, they both represent significant and multi-layered security risks for many organizations.
HackerOne’s Head of Hacker Education Ben Sadeghipour was joined by AWS’ Partner Solutions Architect, Aron Eidelman, @so1o-hunter, hacker Nathanial Lattimer, @d0nut, CTF creator and Lead Security Engineer at Grapl, and hacker Jesse Kinser, @Randomdeduction, and CTF participant.
In the past year, organizations spent about $3 million mitigating SSRF-related incidents with hacker-powered security. If any of these vulnerabilities had resulted in an actual attack, the total impact including the financial, operational, and reputation costs, would have been significantly greater. To illustrate how risky these vulnerabilities can be, bounties paid to hackers for reported SSRF vulnerabilities increased 103%. Taking a security-first approach to your cloud transformation is vital in lowering the potential risk to your organization’s most critical assets. Prevention of a security incident starts by detecting vulnerabilities in your cloud-native apps and in the apps you need to migrate. Even the best tools do not eliminate the need for human expertise since security vulnerabilities often require lateral analysis to be discovered.
Here are a few highlights from the discussion:
AWS CTF Takeaways
Ben Sadeghipour of HackerOne explained that they created a CTF based on something already hacked on rather than on something they thought might be possible, creating a more real-world experience. Using these vulnerabilities as a starting point allows for more realistic scenarios.
Nathaniel’s goal was to integrate many different AWS services into the CTF, offering benefits that other hackers might not be interacting with. These additional layers led to discovering more vulnerabilities, maximizing the outcome and takeaways for the hackers.
Jesse called it a great learning opportunity and transferred new skills and expertise and applied them to her company’s assets and infrastructure, ensuring security against the same types of attacks.
Learning from SSRF Vulnerabilities
During the session, an audience poll revealed that 43% didn’t know what SSRF was. SSRFs are web security vulnerabilities that allow attackers to induce server-side applications to make HTTP requests to arbitrary domains of the attacker's choosing. Ethical hackers can use SSRFs to access an organization’s web apps and once in, can easily enter private networks to simulate what an attacker might be able to exploit. “A breach at that point is not a matter of if. It’s a matter of when,” said Nathanial Lattimer.
Aron Eidelman of AWS added that as the industry moves from on-prem monolithic applications to cloud microservices, attack surfaces increase exponentially. These services allow the fast development and deployment of apps. But with accelerated app delivery comes an explosion of cloud misconfiguration just waiting to be leveraged by cybercriminals.
Security-by-design was a common discussion thread. “Instead of waiting for security to react in production, DevOps heads off these vulnerabilities at the design stage.” He recommends threat modeling upfront and points out that human testers, i.e., hackers, can find immediate issues in code, for example, before they are released to production. It’s important to do this early and often so teams can understand how to fix any issues that come up. When code vulnerabilities are several months old, they become much harder to fix.
One way to uncover SSRF vulnerabilities before exploitation is with hacker-powered security, as these hackers have shown. HackerOne’s continuous testing platform can help by allowing you to test systematically at each level of the SDLC. Hacker-powered security helps security teams increase visibility, manage costs, and address evolving threats with consolidated, scalable security solutions.
Want to learn more? Watch the full discussion here.