Enhancing Security, preventing Server Side Forgery Requests attacks
Server Side Forgery Requests (SSFR) are attacks that involve port and network scanning,
as well as probing at the backend of a web application, using the application's built-in
capabilities. ITX Design Server has two capabilities that can be misused to perform SSFR
attacks:
- When an end user defines the ITX Design Server REST API connection parameters while designing REST API service endpoints (services are designed using the ITX Design Server's services functionality), SSFR can be performed by manipulating the external endpoint connection parameters. This can be done by pointing the REST URL connections to intranet addresses or by pointing to external URL internet addresses.
- When an end user defines runtime server connections (runtime server connections are designed using the ITX Design Server's servers functionality, and the created servers are used to deploy flows, maps, and endpoints), SSFR can be performed by manipulating the server URL. This can be done by pointing the URL to intranet addresses or by pointing to external URL internet addresses.
To mitigate SSFR attacks, ITX Design server offers protection through fine tuning of config.yaml settings:
"""
...
server:
# Defines minimum timeout for the runtime server connection test
# This feature prevents port scans using SSF
testConnectionMinimumTimeout: 6
runtime:
#Deployement is allowed only to this list of runtime servers
servers:
- localhost:8443
- localhost:9443
- localhost:8080
- tx-rest:8443
- tx-rest:8080
services:
endpoints:
# List any addresses that should be blocked in service endpoint URLs
# Block local and private network requests to prevent SSF attacks
blacklist:
- "0.0.0.0-0.255.255.255"
- "127.0.0.0-127.255.255.255"
- "169.254.0.0-169.254.255.255"
- "100.64.0.0-100.127.255.255"
- "10.0.0.0-10.255.255.255"
- "192.168.0.0-192.168.255.255"
- "172.16.0.0-172.31.255.255"
- "localhost"
#If set to true, allow only connections to endpoints that are whitelisted
enable_whitelist: false
whitelist:
- "127.0.0.1"
- "localhost"
- "myserver3:port
...
"""