Questions tagged [ssrf]

Server Side Request Forgery (SSRF) is a vulnerability that appears when an attacker has the ability to create requests from the vulnerable server.

34 questions

votes

1 answer

Preventing Server-Side Request Forgeries in Java

The application lets users specify a URL for their profile picture. It fetches the data from the URL and saves it on the server. However, the app is vulnerable to server-side request forgery (SSRF) - you can specify URLs like file:///etc/passwd and…

java ssrf

asked May 18 '16 at 17:45

paj28

32,736
8
92
130

votes

1 answer

What can be done with Blind SSRF?

I know SSRF can be exploited with the file:// protocol to read local files (something like path traversal) and also scan ports of hosts from the same network as the web server. but how Blind SSRF can be exploited ?

web-application ssrf

asked Apr 01 '18 at 23:46

Reda LM

votes

1 answer

SSRF Attack Exploitation Scenario

In this video (0:37) the guy starts a simple HTTP server using Python and then uses a link to fetch a file from the server he just started. But how does this pose a potential security vulnerability? A file gets uploaded to a place and that file is…

http server python web ssrf

asked Mar 28 '17 at 15:31

ErrorrrDetector

votes

1 answer

How to exploit SVG xlink-based SSRF

First, let me summarize how the SSRF works: 1) You setup an SVG image with a reference to your server via xlink. Here's an example that works:

svg ssrf

asked May 29 '19 at 20:43

Jack

votes

2 answers

What is the difference between RFI/LFI and SSRF?

Is there any difference between those? Can we say that Server Side Request Forgery (SSRF) is a generalization of Remote File Inclusion (RFI) and Local File Inclusion (LFI)?

file-inclusion ssrf

asked Aug 13 '18 at 09:14

kozooh

votes

2 answers

Potential issues allowing users to set any URL as web hook

I’m still in the planning stage so this may not be fully fleshed out, but I’m working on a SaaS project. Part of which allows users (customers of my SaaS) to configure my API to watch for events and respond in a preconfigured way. One response is…

http ssrf

asked Oct 16 '17 at 18:24

DasBeasto

1,796
2
14
14

votes

1 answer

Hijacking URL that ends with a trailing slash

I am pentesting an API which makes a backend call to https://example.org/ and appends any input you provide it (for example, if you provide test it will call https://example.org/test). I am trying to achieve SSRF in this scenario, so my goal is to…

http api url-redirection ssrf

asked Aug 02 '21 at 19:07

Bob

votes

2 answers

Server Side request forgery (SSRF) explanation

I am looking to gain a better understanding of the SSRF vulnerability. I have googled and watched YouTube tutorials but they all show advanced techniques that are difficult to understand. I am curious as to how to connect to a website with my…

webserver apache server port-forwarding ssrf

asked Aug 01 '18 at 07:28

Rifat Shommo

votes

0 answers

how to fix Out-of-band resource load (HTTP) issue identified by BURP scan

I have Salesforce application which is using my web application hosted in one of our customer's server (IIS 8.0). BURP Scan has identified one issue in my web application. Issue is something like this. Severity: High Confidence: Certain Host: …

http iis burp-suite ssrf

asked Feb 20 '18 at 07:10

rakesh

votes

0 answers

HTML Injection to blind SSRF testing retrieves only DNS Query

I recently came across an application that was vulnerable to HTML injection on the invite function. When I insert

the image got rendered on the mail I received. I decided to test for blind ssrf out of band detection, so I gave…

http dns ssrf

asked Jul 19 '20 at 15:16

None_None

votes

2 answers

Why does Portswigger's solution to the lab "SSRF with whitelist-based input filter" work?

The URL with the exercise is: https://portswigger.net/web-security/ssrf/lab-ssrf-with-whitelist-filter The solution is: http://localhost:80%2523@stock.weliketoshop.net/admin/delete?username=carlos A little simplified (no port…

whitelist ssrf

asked Mar 03 '20 at 01:45

Kevin1923851823

votes

0 answers

Is it safe to let users enter a URL in my app that queries an external REST api?

The idea was to allow users to enter a URL inside the application that would send a request to my backend, fetch the data, and load it into a local cache (Apollo/GraphQL). The only sensitive data sent to the server is a JWT attached in the headers…

appsec rest ssrf

asked Nov 26 '19 at 06:02

Adam Johnston

votes

2 answers

Secure AWS instance metadata against potential SSRF

I am running a Windows instance on AWS. The instance has an IIS service running on it. The IIS service has a user associated to it and it has no need to access the AWS instance metadata. I was reading up on…

windows firewalls iis aws ssrf

asked Aug 10 '19 at 04:23

Raimonds Liepiņš

votes

2 answers

Flow of a host header injection attack?

I am new to this field and would like to know how the flow happens in a host header injection attacks. I believe it's as below: Client generates the request. Attacker manipulates the request and changes the host header (to say example.com). Server…

header ssrf host-header-injection

asked Mar 17 '19 at 04:32

pratik pattanaik

votes

1 answer

is SSRF attack or vulnerability?

I'm reading now about SSRF attacks, and many articles "SSRF is an attack" and others said "it's a vulnerability." Which is correct?

attacks vulnerability ssrf

asked Feb 02 '19 at 12:45

just4learn2

2 3 Next