Configuration
| Property | |
|---|---|
| Language | generic |
| Severity |  |
| CWE | CWE-16: CWE CATEGORY: Configuration |
| OWASP | A06:2017 - Security Misconfiguration |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description#
A location block in your NGINX configuration uses ‘proxy_pass’ without the ‘internal’ directive. This means the proxy endpoint is accessible to the public, which can allow external users to send arbitrary requests through your server.
Impact#
If exploited, attackers could leverage your server to perform server-side request forgery (SSRF), potentially accessing internal resources, sensitive data, or abusing your infrastructure to attack other systems. This can lead to information disclosure, unauthorized access, or help attackers bypass network controls.