Server-Side Request Forgery Analyzer
Configuration Name: SSRF
Description
Server-Side Request Forgery (SSRF) is a server-side application weakness that enables an attacker to cause a remote application to perform unintended data access on behalf of the attacker. By design, a server-side application may fetch a supplied URL as part of an intended feature, such as to obtain a profile photo from a URL. An SSRF weakness is present when an attacker can exploit that functionality to access a private network address or file resource from the vantage point of the server-side application. OWASP classifies Server-Side Request Forgery as #7 in its API Security Top 10 2023 (API7:2023).
Server-Side Request Forgery analyzer uses specially-constructed URLs with a hostname of an out-of-band interaction server (controlled by Aptori). The interaction server records any DNS and HTTP requests made to the URL. By observing what types of requests are made by the server-side application for the supplied URL, Server-Side Request Forgery analyzer can find evidence of a potential SSRF.
Faults Reported
Fault Identifier | Title | Summary | Solution | Severity |
---|---|---|---|---|
CWE-918 | Server-Side Request Forgery | Data contained in the response of the client-provided URL accessed by the server application was returned to the client of the original request. | See below. | high |
CWE-918 | Server-Side Request Forgery | The client-provided URL returned an HTTP redirect. The server application accessed the redirect location URL that may be controlled by the client, and data contained in the response of the redirect URL was returned to the client of the original request. | See below. | high |
CWE-918 | Server-Side Request Forgery | The application accessed a URL specified in the HTTP 308 redirect location returned by a URL supplied by the client. This is considered a Blind Server-Side Request Forgery (SSRF) with open redirection weakness. | See below. | medium |
CWE-918 | Server-Side Request Forgery | The application retrieved a URL provided as input by the client, but data from the response to the server application was not returned to the client of the original request. This is considered a Blind Server-Side Request Forgery (SSRF) weakness. | See below. | low |
Protective measures to prevent SSRF depend on the intended use of the URL sent to an application. When the URL is intended to specify only trusted applications (e.g., on an internal, private network), then an allow-list is the preferred mechanism. When the application design allows the URL to specify any external host, then a block-list that prevents access to private resources is the next best option. For more information, refer to Server-Side Request Forgery Prevention Cheat Sheet.