Lab 2.4 - Protect against a SSRF attack

Task 1 - Implement Static Parameter values

1. From Postman, click “Send” on the SSRF Attack-Dummy request. Notice you get content from Google via api.acme.com/vulnerable. This endpoint is vulnerable to Server Side Request Forgery attacks

2. From Postman, run SSRF Attack-unprotected-json. This site contains example ID and keys in JSON format. Hackers will uses your servers as a jump off point to gain access to internal resources

3. Navigate to Security -> Event Logs -> Application -> Requests and find both requests. Notice nothing appears malicious about these requests except for the destinations.

4. We are going to secure the the uri parameter, so it only allows access to Google, but not access to private data hosted internally.
5. Navigate to Security -> Application Security -> Parameters -> Parameters List. Click the + Plus Symbol

6. Enter the Name uri
7. Uncheck Perform Staging
8. From the Parameter Value Type dropdown select Static Content Value
9. Enter http://dummy.restapiexample.com/api/v1/employees for the New Static Value
10. Click Add
11. Click Create

12. Click Apply Policy
13. From Postman, run SSRF Attack-Dummy. Access to Google is still allowed.
14. From Post, run SSRF Attack-unprotected-json. This site is now blocked as intended

15. Navigate to Security -> Event Logs -> Application -> Requests and find the latest blocked request. The uri parameter is highlighted due to Illegal Static Parameter Value.