Enhancing Security, preventing Server Side Forgery Requests attacks

Server Side Forgery Requests (SSFR) are attacks that involve port and network scanning, as well as probing at the backend of a web application, using the application's built-in capabilities. ITX Design Server has two capabilities that can be misused to perform SSFR attacks:
  1. When an end user defines the ITX Design Server REST API connection parameters while designing REST API service endpoints (services are designed using the ITX Design Server's services functionality), SSFR can be performed by manipulating the external endpoint connection parameters. This can be done by pointing the REST URL connections to intranet addresses or by pointing to external URL internet addresses.
  2. When an end user defines runtime server connections (runtime server connections are designed using the ITX Design Server's servers functionality, and the created servers are used to deploy flows, maps, and endpoints), SSFR can be performed by manipulating the server URL. This can be done by pointing the URL to intranet addresses or by pointing to external URL internet addresses.

To mitigate SSFR attacks, ITX Design server offers protection through fine tuning of config.yaml settings:

"""
...
server:

  # Defines minimum timeout for the runtime server connection test
  # This feature prevents port scans using SSF
  testConnectionMinimumTimeout: 6
  runtime:
    #Deployement is allowed only to this list of runtime servers
    servers:
      - localhost:8443
      - localhost:9443
      - localhost:8080
      - tx-rest:8443
      - tx-rest:8080

  services:
    endpoints:
      # List any addresses that should be blocked in service endpoint URLs
      # Block local and private network requests to prevent SSF attacks
      blacklist:
        - "0.0.0.0-0.255.255.255"
        - "127.0.0.0-127.255.255.255"
        - "169.254.0.0-169.254.255.255"
        - "100.64.0.0-100.127.255.255"
        - "10.0.0.0-10.255.255.255"
        - "192.168.0.0-192.168.255.255"
        - "172.16.0.0-172.31.255.255"
        - "localhost"
      #If set to true, allow only connections to endpoints that are whitelisted
      enable_whitelist: false
      whitelist:
        - "127.0.0.1"
        - "localhost"
        - "myserver3:port
...
"""