Server-side Request Forgery (SSRF) |
Overview Server-side Request Forgery (SSRF) allows an attacker to cause the application to browse to an arbitrary HTTP endpoint of the attackers choosing. Since the application server may not be segmented properly, the application may have access to HTTP endpoints behind the firewall. Video Tutorials Discovery Methodology Locate an input parameter that allows control of the URL that the application browses to. The input parameter may be hidden. Exploitation Change the value of the input parameter to point to an HTTP endpoint that the application server has access to. Videos What is Insecure Direct Object Reference (IDOR)? What is Server-side Request Forgery (SSRF)? |