Security Test: Server Side Request Forgery¶
Description¶
Default Severity:
Server Side Request Forgery happens when an application blindly sends a request to a URL provided by a user. Without proper checks, attackers can supply a URL that directs the request to an internal service or a restricted resource, helping them bypass security boundaries like firewalls or VPN protections. This oversight can let attackers expose sensitive internal systems or data, and might even be used as a stepping stone for more intrusive attacks. Developers often face this risk when they don’t implement strict input validation and proper URL filtering, making it a small mistake with serious potential impact if left unaddressed.
Configuration¶
Identifier:
request_forgery/ssrf
Examples¶
All configuration available:
Compliance and Standards¶
| Standard | Value |
|---|---|
| OWASP API Top 10 | API7:2023 |
| OWASP LLM Top 10 | LLM06:2023 |
| PCI DSS | 6.5.9 |
| GDPR | Article-32 |
| SOC2 | CC1 |
| PSD2 | Article-95 |
| ISO 27001 | A.14.2 |
| NIST | SP800-53 |
| FedRAMP | SI-10 |
| CWE | 918 |
| CVSS Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L |
| CVSS Score | 7.3 |