Server-Side Request Forgery (SSRF)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-918: Server-Side Request Forgery (SSRF) |
| OWASP | A10:2021 - Server-Side Request Forgery (SSRF) |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Medium |
Description#
User input is being used directly to set the host in a URL for a server-side request, allowing attackers to control where requests are sent. This makes it possible for untrusted users to target arbitrary servers using your application’s permissions.
Impact#
If exploited, attackers could have your server send requests to malicious or internal systems, potentially leaking sensitive data (like cookies or authorization tokens) or probing your internal network. This could lead to data breaches, exposure of internal services, or facilitate further attacks against your infrastructure.