Skip to main content

Security Breach Spotlight: OWASP Top 10 Security Vulnerabilities - Capital One 2019

· 4 min read

A perfect example of why Server Side Request Forgery (SSRF) vulnerabilities are on the OWASP Top 10 list.

Security Breach Spotlight: OWASP Top 10 Security Vulnerabilities - Capital One 2019

SSRF

OWASP

The Open Web Application Security Project (OWASP) is a nonprofit organization focused on improving software security. It provides free, open-source resources, tools, documentation, and best practices to help developers, security professionals, and organizations identify and mitigate security risks.

OWASP maintains a list of top 10 most critical security risks which can be found here OWASP TOP 10, today we'll be exploring security risk #10 the Server Side Request Forgery (SSRF).

Server Side Request Forgery (SSRF)

SSRF is a web application security vulnerability that allows a bad actor to send unauthorized requests to internal or external resources via URL input manipulation.

This can lead to data exposure, internal network scanning, or even remote code execution.

How does it work?

When a web application needs to fetch a URL, attackers can manipulate this functionality by replacing the intended URL with their malicious target. Since the request comes from a (supposed) trusted source, it bypasses normal security controls.

Here are some examples:

1. Loading a public profile picture

Normal request:

GET /fetch?url=https://example.com/profile-picture.jpg

What it does:

  • Fetches a public profile picture from a trusted domain
  • Serves expected content to the user
  • Operates within intended parameters

2. Internal Admin Access Exploitation

Malicious request:

GET /fetch?url=http://localhost:8080/admin/users
GET /fetch?url=file:///etc/passwd
GET /fetch?url=http://internal-network.local:8080/api/users

What it does:

  • Attempts to access restricted admin interfaces
  • May expose sensitive user data
  • Could reveal system configuration files
  • Potential to access internal network resources

3. Cloud Service Metadata

Normal request:

GET /fetch?url=https://api.example.com/public-data

Malicious request:

GET /fetch?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/
GET /fetch?url=http://169.254.169.254/latest/meta-data/hostname
GET /fetch?url=http://169.254.169.254/latest/user-data

What it does:

  • Attempts to access AWS metadata service
  • Could expose cloud credentials
  • May reveal instance configuration
  • Potential access to sensitive user data

4. Port Scanning via SSRF

Normal request:

GET /fetch?url=https://api.example.com/status

Malicious request:

GET /fetch?url=http://internal-host:22
GET /fetch?url=http://internal-host:3306
GET /fetch?url=http://internal-host:6379

What it does:

  • Probes for open ports (SSH, MySQL, Redis)
  • Maps internal network architecture
  • Identifies potential attack vectors

Capital One

This brings us to the 2019 Capital One data breach that exposed over 100 million customer records due to an SSRF vulnerability in Capital One’s AWS-hosted infrastructure.

The attacker, Paige Thompson, a former AWS engineer, exploited the vulnerability to access AWS metadata services and retrieve temporary IAM credentials. Using these credentials, she gained unauthorized access to Amazon S3 buckets. Stealing Social Security numbers, bank account details, and personal data from Capital One’s customers. The breach was discovered when Thompson bragged about it online, leading to her arrest by the FBI.

The attack succeeded due to poor security configurations, including excessive IAM permissions and a failure to block access to internal AWS metadata. Capital One’s application allowed external requests to internal IP addresses, enabling Thompson to bypass firewalls and escalate privileges. Additionally, weak monitoring and logging meant that the unauthorized access was not detected in real-time.

As a result, Capital One was fined $80 million and later settled a $190 million class-action lawsuit with affected customers.

To prevent SSRF attacks and similar breaches, organizations should validate external URL inputs, block internal requests, and enforce strict IAM policies following the principle of least privilege. AWS metadata should be secured by enabling IMDSv2, and real-time monitoring tools. The Capital One breach highlights the critical importance of cloud security best practices and proactive vulnerability management.

Preventative Measures

  • Whitelist allowed domains and URLs
  • Validate and sanitize all user input
  • Block requests to internal networks
  • Implement proper access controls

Simple URL validation function example

function validateUrl(url) {
  const allowList = ['api.trusted-domain.com'];
  const urlObj = new URL(url);
  return allowList.includes(urlObj.hostname);
}

AWS Security Best Practices

  • Enable IMDSv2
  • Implement proper VPC configurations
  • Use AWS WAF to filter malicious requests