SSRF protection¶
Overview¶
You can configure WAF to protect against Server-Side Request Forgery (SSRF) for a security policy. In an SSRF attack the attacker takes advantage of parameters that contain dynamic IP addresses or domain names which the server application invokes. Rather than letting the server access the legitimate destination, the attacker crafts a request that populates the parameter with an address of a server or files in the server that it is not allowed to access. Identify the parameters that are subject to SSRF attack and configure the IP address or domain name to deny, allow or resolve access from these parameters.
Prerequisites¶
Verify any attached application services to ensure proper security after changes are deployed.
You need to have a user role of Security Manager or Administrator to manage a WAF policy.
How to protect from SSRF¶
Manage SSRF protection¶
Add, delete or manage actions for SSRF hosts (domain names or IP addresses). SSRF host actions can either allow or deny specified hosts detected with the specified payload parameters. To enable the SSRF functionality, the parameter which carries the IP addresses or domain names must be configured as a parameter of data type Auto Detect.
Click the workspace icon next to the F5 icon, and click Security.
From the left menu click Policies under WAF.
Select the name of the policy.
A panel for the General Settings opens.
From the menu, select SSRF.
To add an SSRF host:
Click Add.
Under Host enter the domain name or IP address.
For Action select one of the following:
Deny - If the SSRF host is detected in the payload parameters, the request is always denied.
Allow - If the SSRF host is detected in the payload parameters the request is always allowed.
Resolve - This option is only relevant to domain names. When the host name is detected, the WAF policy will use the host name to look up IP address(es) using the configured DNS resolver. If one or more IP address corresponds with the domain name, they are looked up in the SSRF host list, if any IP addresses are set to Deny the configured mitigation action is taken. For the wildcard entry (*), the resolve action is interpreted as Allow for IP addresses.
Click Save. The SSRF host is added to the list.
Add a parameter. This is optional if you already have parameters configured with the value type of Auto Detect. SSRF protection will not be enabled until at least one parameter is configured:
Under the Parameters area, click Add Parameter. If parameters are already configured, click Manage Parameters and then Create.
Add a parameter Name
Select a Parameter Type:
Explicit - Specifies a unique parameter.
Wildcard - Specifies that the parameter is a wildcard expression. Any parameter that matches the wildcard expression is considered legal.
Note: See Wildcard syntax for more information.
Ensure the Value Type is Auto Detect.
Click Save.
Click Deploy to deploy changes.
Manage an SSRF violation¶
Manage how the WAF policy handles a request for server-side access to a disallowed host. This violation is an attempt to access a disallowed SSRF host from the server side by exploiting an address parameter.
For details about default template settings for violations, see SSRF violations
Click the workspace icon next to the F5 icon, and click Security.
From the left menu click Policies under WAF.
Select the name of the policy.
A panel for the General Settings opens.
From the panel menu, click SSRF.
Click Violations.
The SSRF Violations panel opens.
Select the policy action when the policy detects a CSRF attack:
Select one of the following protection settings:
Alarm - Sends an alert to the event log when a request to SSRF host set to deny.
Alarm & Block - Sends an alert to the event log and blocks traffic when a request to SSRF host set to deny.
Disabled - The policy does not detect or enforce SSRF attacks.
Click Save.
The SSRF is updated, but policy changes are not yet deployed. You can click Deploy to deploy changes to the BIG-IP Next instances.
Resources¶
Configure using API¶
Violation Settings¶
SSRF protection management using the policy Editor¶
Edit the WAF policy JSON declaration directly through the WAF policy editor.