Lab 2.4 - Protect against a SSRF attack
========================================



Task 1 - Implement Static Parameter values
--------------------------------------------



1. From Postman, run **Get-SSRF Attack-Dummy**.  Notice you get content from Google via api.acme.com/vulnerable.  This endpoint is vulnerable to Server Side Request Forgery attacks

|image116|
|image118|

2. From Postman, run **Get-SSRF Attack-unprotected-json**. This site contains example ID and keys in JSON format.  Hackers will uses your servers as a jump off point to gain access to internal resources 

|image117|
|image119|


3. Navigate to **Security -> Event Logs -> Application -> Requests** and find both requests.  Notice nothing appears malicious about these requests except for the destinations. 

|image120|

 

4.  We are going to secure the the uri parameter, so it only allows access to Google, but not access to private data hosted internally.


5. Navigate to **Security -> Application Security -> Parameters -> Parameters List**.  Click the **+ Plus Symbol**

|image121|

6. Enter the Name **uri**
7. Uncheck **Perform Staging**
8. From the Parameter Value Type dropdown select **Static Content Value**
9. Enter **http://dummy.restapiexample.com/api/v1/employees** for the New Static Value 
10. Click **Add**
11. Click **Create**

|image122|

12. Click **Apply Policy**

13. From Postman, run **Get-SSRF Attack-Google**.  Access to Google is still allowed.

14. From Post, run **Get-SSRF Attack-unprotected-json**. This site is now blocked as intended

|image123|

15. Navigate to **Security -> Event Logs -> Application -> Requests** and find the latest blocked request.  The uri parameter is highlighted due to Illegal Static Parameter Value.

|image124|



.. |image116| image:: /_static/class1/module2/image116.png
	:width: 400px
.. |image117| image:: /_static/class1/module2/image117.png
	:width: 400px
.. |image118| image:: /_static/class1/module2/image118.png
	:width: 800px
.. |image119| image:: /_static/class1/module2/image119.png
	:width: 800px
.. |image120| image:: /_static/class1/module2/image120.png
	:width: 800px
.. |image121| image:: /_static/class1/module2/image121.png
	:width: 800px
.. |image122| image:: /_static/class1/module2/image122.png
	:width: 800px
.. |image123| image:: /_static/class1/module2/image123.png
	:width: 800px
.. |image124| image:: /_static/class1/module2/image124.png
	:width: 800px