Invisible Attacker — Scanning Pattern Analysis Over Web Application
Hello guys, Hope everyone is good. I would like to share one of my recent Investigation over scanning/crawling on web application.
As a security engineer, I used to deploy my offensive testing knowledge of the web applications into defensive traffic pattern analysis.
How do I find the pattern?
This happened before a month, while analysing the firewall traffic from the remote IP address towards our one of the customer application. The attacker specifically tried to brute force the wordpress login which is used as CMS in our customer application.
The traffic pattern is looks wierd, while checking the IP reputation with multiple threat intillegence the IP address (x.x.x.x) is not blacklisted and looks with good reputation. After the reputation check, I got a clue that there is website (abcd.com) running behind the captured IP address (x.x.x.x).
Here’s the place I started to think differently by relating with server side web application attacks which is SSRF(Server Side Request Forgery).
What is SSRF (Server Side Request Forgery)?
In a SSRF attack the attacker can change a parameter used on the web application to create or control requests from the vulnerable server. By using the SSRF, the attacker can also hide their there identity by using the SSRF vulnerabilty present on web site.
Attacker can also initiate port scans / Brute Forces using the SSRF vulnerability of one web site to hide their identity while scanning other web server.
Yes, in my case also attacker uses the web server which is vulnerable to SSRF and initiated the brute force over my customer web application to gain“Wordpress Pluging” access.
How I confirm the web application is vulnerable to SSRF?
As I mentioned earlier in this post, the website abcd.com is vulnerable to SSRF vulneability, I manually tried to exploit that vulneabilty using burp and then only I confirm the website is vulnerable to SSRF.
What I did after finding SSRF and How I concluded?
I reported to that website owner through the email with proper report of SSRF. And recommended to block the original IP address which was captured on there firewall & with proper SSRF patching remidiations.
I requested the top level entity (which is the first level of traffic filtering to enter th region) to cretae a firewall policy/IPS signature to prevent from accessing the wordpress plugin access from outside of region and then enforced MFA with limited access.