Potential to Server-Side Request Forgery (SSRF)

Description

During the scan, Kayran managed to find the Potential to Server-Side Request Forgery (SSRF) vulnerability. SSRF attacks hold a range of risks, the attacker can supply or modify a given URL, which the code is running on the server to read or submit data. The attacker may be able to read server configurations such as cloud services metadata, etc.

SSRF can be exploited in order to gain access to internal servers found inside the network. To perform internal scan ports, and even to perform a Remote Code Execution (RCE). In addition, the attacker may cause the server to create a connection back to itself.
The attacker may also use this functionality to import unvalidated data into the code that expects to only read data from trusted sources, and as such bypass input validation.

Server-Side Request Forgery (SSRF) is an attack that can be used to make your application issue an arbitrary HTTP requests. SSRF is widely used by attackers to proxy requests from services exposed on the internet to un-exposed internal endpoints.

Recommendation

To prevent SSRF vulnerabilities in your web applications, the ideal situation is that your application does not need to make any arbitrary requests.
It is strongly advised to set and use a whitelist of allowed domains and protocols.

References

https://owasp.org/www-community/attacks/Server_Side_Request_Forgery

< Return to all Vulnerabilities

Blue Team

We’ve talked about The Red Team before, but what about The Blue Team? How is this group different from the red one? Why would we

Read More »

Red Team

You’ve probably heard that there are teams in the Cyber field called Red Team and Blue Team. Let’s talk about the red one, shall we?

Read More »

The Cloud

I’m pretty sure there isn’t a single adult in the world who hasn’t at least heard of The Cloud. Explaining “The Cloud” in 2022 may

Read More »

The Dark Web

Let’s talk about the darker and more mysterious side of the internet, also known as The Dark Web. You’ve probably heard about it, whether it’s

Read More »