DerScanner
Home / Vulnerability Database / Config files : Server-Side Request Forgery (SSRF)
Config files

Config files : Server-Side Request Forgery (SSRF)

Classification

OWASP Top 10 2013
A1-Injection
OWASP Top 10 2017
A1-Injection
OWASP Top 10 2021
A3-InjectionA10-Server-Side Request Forgery (SSRF)
OWASP MASVS
V6: 6.3.(L1/L2/L1+R/L2+R)
OWASP ASVS
API and Web ServiceFiles and ResourcesValidation, Sanitization and Encoding
PCI DSS 4.0
6.2.4
HIPAA
§164.312 (a)(1)
CWE
CWE-918CWE-1027
CWE/SANS Top 25 2021
CWE-918

Overview

Server-Side Request Forgery (SSRF) is possible.

A Server Side Request Forgery (SSRF) vulnerability allows an attacker to change a parameter used by the web application to create or manage requests from a vulnerable server.

When the manipulated request goes to the server, the server-side code picks up the manipulated URL and tries to read data to the manipulated URL. By selecting target URLs the attacker may be able to read data from services that are not directly exposed on the internet:

  • Cloud server meta-data
  • Database HTTP interfaces
  • Internal REST interfaces
  • Files (using file:// URIs)

References

  1. CWE-918: Server-Side Request Forgery (SSRF)
  2. OWASP: Server Side Request Forgery
  3. Top 10 2013-A1-Injection
  4. Top 10-2017 A1-Injection
  5. What is the Server Side Request Forgery Vulnerability & How to Prevent It?
  6. CWE CATEGORY: OWASP Top Ten 2017 Category A1 - Injection
MEDIUM

DerScanner Severity Score

Do you want to fix Config files : Server-Side Request Forgery (SSRF) in your application?

See also

Config files

Config files : Text4Shell Vulnerability

Config files

Config files : Incorrect directory deletion

Config files

Config files : Code injection