Researchers found four Microsoft Azure services that were vulnerable to Server-Side Request Forgery (SSRF), a web security flaw that remains prevalent and poses an ongoing threat to cloud environments.
The vulnerable services include Azure API Management, Azure Functions, Azure Machine Learning, and Azure Digitals, according to a blog post Tuesday by Orca Security. Among them, two vulnerabilities involving Azure Functions and Azure Digital Twins did not require authentication, meaning that an attacker could exploit them even without an Azure account.
“The most notable aspect of these discoveries is arguably the number of SSRF vulnerabilities we were able to find with only minimal effort (including another SSRF vulnerability we found last year in Oracle Cloud Services), indicating just how prevalent they are and the risk they pose in cloud environments,” Lidor Ben Shitrit, cloud security researcher at Orca wrote in the blog post.
Indeed, SSRF attacks can be particularly dangerous since a successful execution can result in an attacker accessing or modifying internal resources as well as submitting data to external sources.
In addition, if attackers are able to access…
