Bolstering Security: Configuring Domains to Ward Off SSRF

Bolstering Security: Configuring Domains to Ward Off SSRF

Share this blog

Be the first to get updates

    Subscribe RSS feed
    This blog highlights the significance of configuring known domains for web application protection against SSRF attacks using Bold BI.

    In today’s interconnected digital landscape, web application security is paramountly important. Server-Side Request Forgery threatens web application integrity and confidentiality. This draft explains configuring known domains to mitigate SSRF risks in embedded applications and offers prevention measures for developers and system administrators.

    What is SSRF?

    Server-Side Request Forgery is a security vulnerability where an attacker manipulates a web application to make arbitrary requests on its behalf. The attacker exploits the application’s functionality to access internal or external resources it has access to.

    Importance of configuring known domains to avoid SSRF attack in Bold BI

    Configuring known domains is crucial to avoid Server-Side Request Forgery attacks in Bold BI because it helps to restrict unauthorized access to internal resources and protect sensitive data. This helps to minimize the chances of an attacker exploiting your domain, pivoting through your network, or exfiltrating sensitive information.

    How to configure a known domain in Bold BI?

    Bold BI helps you block sending data to unknown domains to prevent the attacker from receiving any information from your server. This can be configured by known domains in the Bold BI.

    Steps to configure the Known domain’s

    1. Go to settings in Bold BI under UMS, then select Configuration, as shown in the following figure. You can navigate to the UMS page with the following URL: http://<your-domain>/ums/administration/config-editor.

    Navigation to the Configuration tab
    Navigation to the Configuration tab

    2. Click drop down from the search your files section, then select known_domains.json file to configure this page’s allowed and denied domain list.

    Select known_domains.json
    Select known_domains.json

    3.You can configure known domains in Bold BI by setting the Enabled node to true.

    Enabled true Configuration
    Enabled true Configuration

    4. You can also configure the false node if you want the configuration setting not to work.

    Enabled false Configuration
    Enabled false Configuration

    5. You can add list of denied domains to the Deny node for all external domains using wildcard in known domain JSON nodes. Also, you can use a wildcard with the subdomain (*.boldbi.com, *.*.boldbi.com).

    Deny Configuration
    Deny Configuration

    6. You can add list of allowed domains to the Allow node and separating them with a comma.

    Allow a list of configurations
    Allow a list of configurations

    7. After configuration, click the Save button to update the Known Domain JSON file.

    Save the Configuration
    Save the Configuration

    Note: If you have configured the same domain in both the Allow and Deny lists, the domain will be denied as the Deny list takes priority.

    Example for configured known domains

    Healthcare

    When publishing a healthcare dashboard in multiple tenants, you can avoid SSRF attacks by configuring known domains, accessing data security and measures for patient data, medical infrastructure, and any potential compromise of patient care.

    This sample sheds light on the configured known domain access process.

    Allow Domain

    1. Add domain and allow Configuration.

    Allow Configuration
    Allow Configuration

    2. Proceed to publish by selecting the known domain.

    Selecting known domain
    Selecting known domain

    3. You will be allowed to publish as shown then you can access dashboard in your tenant.

    Published Notification
    Published Notification
    Patient Healthcare Monitoring Dashboard's published in Allowed Domain
    Patient Healthcare Monitoring Dashboard’s published in Allowed Domain

    Deny Domain

    On the same dashboard, trying to publish to another denied site but configured this domain in the denied list in the known domain json. It will be unable to publish to the site as illustrated below images:

    1. Add domain and deny Configuration.

    Deny configuration
    Deny configuration

    2. Proceed to publish by selecting the known domain.

    Selecting known domain
    Selecting known domain

    3. Your dashboard will not be published conveying information as shown.

    Denied access notification
    Denied access notification

    Read this documentation for more information about publish dashboards between multiple tenants in Bold BI. Check out this documentation for the steps to publish a data source to internal sites.

    Note: For security against SSRF attacks, configure known domains in “allow” and suspected domains in “deny.” Enable support by setting the “enabled” property to true, preventing denied domains and SSRF attacks.

    Start Embedding Powerful Analytics

    Try out all the features of Bold BI with 15-day free trial.

    I hope you have gained knowledge to improve and secure your website. Regular security assessments and staying informed about emerging threats are crucial for protecting your systems from potential attacks. Prevention is key, and maintaining a strong security posture is essential to safeguarding your applications and infrastructure.

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    Live Chat Icon For mobile
    Hugo Morris

    Chat with the Bold BI Sales team now!

    Live Chat Icon