Server-Side Request Forgery (SSRF)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-918: Server-Side Request Forgery (SSRF) |
| OWASP | A10:2021 - Server-Side Request Forgery (SSRF) |
| Confidence Level | Medium |
| Impact Level | High |
| Likelihood Level | Medium |
Description#
User-supplied input from the HTTP request is being used directly to construct URLs for server-side requests with urllib without validation. This lets attackers control the destination of backend requests, which is unsafe.
Impact#
An attacker could make your server send requests to internal services or sensitive resources, potentially accessing private data or performing actions on behalf of your server. This could lead to data leaks, unauthorized access to infrastructure, or be leveraged to further compromise your environment.