SSRF Cross Protocol Redirect Bypass

We discussed this vulnerability during Episode 197 on 20 March 2023

When using the ssrfFilter library in conjunction with the Request library in JavaScript there is a bug that can result in the SSRF filter being disabled. The way the anti-SSRF library, ssrfFilter works is that is creates its own object that cna be used in=place of Node’s default request agent for http/http requests. As the agent it can apply SSRF filtering at a relatively low level making it harder to bypass, but it depends on being able to control the agent the higher-level library (in this case the Request library) is using. When there is a cross-protocol redirect like from http to https, the Request library will delete the existing agent (and later replacing it with the default one). This needs to happen because the default agent can only work for one protocol. However this also means that if someone sets the antiSSRF library’s agent to be used, simply by redirecting across protocols the filtering can be disabled.

The authors also looked at a couple other libraries, finding that node-fetch was not vulnerable as it didn’t support cross-protocol redirects, and axios configuration take sin separate http and https agents, though notably an application can forget to set one of the agents and have a similar bypass.