Where URLs Become Weapons: Automated Discovery of SSRF Vulnerabilities in Web Applications
Enze Wang, Jianjun Chen, Wei Xie, Chuhan Wang, Yifei Gao, Zhenhua Wang
IEEE Symposium on Security and Privacy 2024 · Day 1 · Continental Ballroom 4
This presentation, "Where URLs Become Weapons: Automated Discovery of SSRF Vulnerabilities in Web Applications," delivered by Enze Wang from the National University of Defense Technology and collaborators, unveils a novel framework designed to systematically identify Server-Side Request Forgery (SSRF) vulnerabilities. SSRF is a critical web security flaw, consistently listed among the OWASP Top 10, that allows attackers to coerce a server into making arbitrary requests to internal network resources or other external services on the attacker's behalf. Despite its severe implications, the discovery of new SSRF vulnerabilities has historically relied on manual, inefficient, and incomplete testing methods, leaving a significant attack surface exposed.
AI review
This work introduces SSRfuzz, a critical advancement in automated SSRF vulnerability discovery. Its novel three-stage framework, leveraging an SSRF Oracle and dynamic taint analysis with Levenshtein distance filtering, identified 73 new PHP sinks and 25 new vulnerabilities, earning 16 CVEs. This research significantly outperforms existing tools, offering a powerful, efficient, and much-needed solution to a persistent and dangerous class of web security flaws.