Bolstering Security: Configuring Domains to Ward Off SSRF
In today’s interconnected digital landscape, web application security is paramountly important. Server-Side Request Forgery threatens web application integrity and confidentiality. This draft explains configuring known domains to mitigate SSRF risks in embedded applications and offers prevention measures for developers and system administrators.
What is SSRF?
Server-Side Request Forgery is a security vulnerability where an attacker manipulates a web application to make arbitrary requests on its behalf. The attacker exploits the application’s functionality to access internal or external resources it has access to.
Importance of configuring known domains to avoid SSRF attack in Bold BI
Configuring known domains is crucial to avoid Server-Side Request Forgery attacks in Bold BI because it helps to restrict unauthorized access to internal resources and protect sensitive data. This helps to minimize the chances of an attacker exploiting your domain, pivoting through your network, or exfiltrating sensitive information.
How to configure a known domain in Bold BI?
Bold BI helps you block sending data to unknown domains to prevent the attacker from receiving any information from your server. This can be configured by known domains in the Bold BI.
Steps to configure the Known domain’s
1. Go to settings in Bold BI under UMS, then select Configuration, as shown in the following figure. You can navigate to the UMS page with the following URL: http://<your-domain>/ums/administration/config-editor.
2. Click drop down from the search your files section, then select known_domains.json file to configure this page’s allowed and denied domain list.
3. You can configure known domains in Bold BI by setting the Enabled node to true.
4. You can also configure the false node if you want the configuration setting not to work.
5. You can add list of denied domains to the Deny node for all external domains using wildcard in known domain JSON nodes. Also, you can use a wildcard with the subdomain (*.boldbi.com, *.*.boldbi.com).
6. You can add list of allowed domains to the Allow node and separating them with a comma.
7. After configuration, click the Save button to update the Known Domain JSON file.
Note: If you have configured the same domain in both the Allow and Deny lists, the domain will be denied as the Deny list takes priority.
Example for configured known domains
Healthcare
When publishing a healthcare dashboard in multiple tenants, you can avoid SSRF attacks by configuring known domains, accessing data security and measures for patient data, medical infrastructure, and any potential compromise of patient care.
This sample sheds light on the configured known domain access process.
Allow Domain
1. Add domain and allow Configuration.
2. Proceed to publish by selecting the known domain.
3. You will be allowed to publish as shown then you can access dashboard in your tenant.
Deny Domain
On the same dashboard, trying to publish to another denied site but configured this domain in the denied list in the known domain json. It will be unable to publish to the site as illustrated below images:
1. Add domain and deny Configuration.
2. Proceed to publish by selecting the known domain.
3. Your dashboard will not be published conveying information as shown.
Read this documentation for more information about publish dashboards between multiple tenants in Bold BI. Check out this documentation for the steps to publish a data source to internal sites.
Note: For security against SSRF attacks, configure known domains in “allow” and suspected domains in “deny.” Enable support by setting the “enabled” property to true, preventing denied domains and SSRF attacks.
I hope you have gained knowledge to improve and secure your website. Regular security assessments and staying informed about emerging threats are crucial for protecting your systems from potential attacks. Prevention is key, and maintaining a strong security posture is essential to safeguarding your applications and infrastructure.