Questions tagged [ssrf]

Server Side Request Forgery (SSRF) is a vulnerability that appears when an attacker has the ability to create requests from the vulnerable server.

34 questions
16
votes
1 answer

Preventing Server-Side Request Forgeries in Java

The application lets users specify a URL for their profile picture. It fetches the data from the URL and saves it on the server. However, the app is vulnerable to server-side request forgery (SSRF) - you can specify URLs like file:///etc/passwd and…
paj28
  • 32,736
  • 8
  • 92
  • 130
6
votes
1 answer

What can be done with Blind SSRF?

I know SSRF can be exploited with the file:// protocol to read local files (something like path traversal) and also scan ports of hosts from the same network as the web server. but how Blind SSRF can be exploited ?
Reda LM
  • 367
  • 3
  • 11
6
votes
1 answer

SSRF Attack Exploitation Scenario

In this video (0:37) the guy starts a simple HTTP server using Python and then uses a link to fetch a file from the server he just started. But how does this pose a potential security vulnerability? A file gets uploaded to a place and that file is…
4
votes
1 answer

How to exploit SVG xlink-based SSRF

First, let me summarize how the SSRF works: 1) You setup an SVG image with a reference to your server via xlink. Here's an example that works:
Jack
  • 471
  • 2
  • 6
  • 18
4
votes
2 answers

What is the difference between RFI/LFI and SSRF?

Is there any difference between those? Can we say that Server Side Request Forgery (SSRF) is a generalization of Remote File Inclusion (RFI) and Local File Inclusion (LFI)?
kozooh
  • 155
  • 1
  • 5
4
votes
2 answers

Potential issues allowing users to set any URL as web hook

I’m still in the planning stage so this may not be fully fleshed out, but I’m working on a SaaS project. Part of which allows users (customers of my SaaS) to configure my API to watch for events and respond in a preconfigured way. One response is…
DasBeasto
  • 1,796
  • 2
  • 14
  • 14
3
votes
1 answer

Hijacking URL that ends with a trailing slash

I am pentesting an API which makes a backend call to https://example.org/ and appends any input you provide it (for example, if you provide test it will call https://example.org/test). I am trying to achieve SSRF in this scenario, so my goal is to…
Bob
  • 79
  • 7
3
votes
2 answers

Server Side request forgery (SSRF) explanation

I am looking to gain a better understanding of the SSRF vulnerability. I have googled and watched YouTube tutorials but they all show advanced techniques that are difficult to understand. I am curious as to how to connect to a website with my…
Rifat Shommo
  • 51
  • 1
  • 1
  • 4
3
votes
0 answers

how to fix Out-of-band resource load (HTTP) issue identified by BURP scan

I have Salesforce application which is using my web application hosted in one of our customer's server (IIS 8.0). BURP Scan has identified one issue in my web application. Issue is something like this. Severity: High Confidence: Certain Host: …
rakesh
  • 31
  • 1
  • 4
2
votes
0 answers

HTML Injection to blind SSRF testing retrieves only DNS Query

I recently came across an application that was vulnerable to HTML injection on the invite function. When I insert the image got rendered on the mail I received. I decided to test for blind ssrf out of band detection, so I gave…
None_None
  • 45
  • 5
2
votes
2 answers

Why does Portswigger's solution to the lab "SSRF with whitelist-based input filter" work?

The URL with the exercise is: https://portswigger.net/web-security/ssrf/lab-ssrf-with-whitelist-filter The solution is: http://localhost:80%2523@stock.weliketoshop.net/admin/delete?username=carlos A little simplified (no port…
2
votes
0 answers

Is it safe to let users enter a URL in my app that queries an external REST api?

The idea was to allow users to enter a URL inside the application that would send a request to my backend, fetch the data, and load it into a local cache (Apollo/GraphQL). The only sensitive data sent to the server is a JWT attached in the headers…
2
votes
2 answers

Secure AWS instance metadata against potential SSRF

I am running a Windows instance on AWS. The instance has an IIS service running on it. The IIS service has a user associated to it and it has no need to access the AWS instance metadata. I was reading up on…
2
votes
2 answers

Flow of a host header injection attack?

I am new to this field and would like to know how the flow happens in a host header injection attacks. I believe it's as below: Client generates the request. Attacker manipulates the request and changes the host header (to say example.com). Server…
2
votes
1 answer

is SSRF attack or vulnerability?

I'm reading now about SSRF attacks, and many articles "SSRF is an attack" and others said "it's a vulnerability." Which is correct?
1
2 3