Skip to content

Request Forgery: Server Side Request Forgery

Identifier: ssrf

Scanner(s) Support

GraphQL Scanner REST Scanner WebApp Scanner

Description

Server Side Request Forgery happens when an application blindly sends a request to a URL provided by a user. Without proper checks, attackers can supply a URL that directs the request to an internal service or a restricted resource, helping them bypass security boundaries like firewalls or VPN protections. This oversight can let attackers expose sensitive internal systems or data, and might even be used as a stepping stone for more intrusive attacks. Developers often face this risk when they dont implement strict input validation and proper URL filtering, making it a small mistake with serious potential impact if left unaddressed.

Configuration

Example

Example configuration:

---
security_tests:
  ssrf:
    assets_allowed:
    - REST
    - GRAPHQL
    - WEBAPP
    skip: false

Reference

assets_allowed

Type : List[AssetType]*

List of assets that this check will cover.

skip

Type : boolean

Skip the test if true.