Request Forgery: LLM-Enabled Server-Side Request Forgery¶
Identifier:
llm_ssrf
Scanner(s) Support¶
| GraphQL Scanner | REST Scanner | WebApp Scanner | ASM Scanner |
|---|---|---|---|
Description¶
LLM-enabled Server-Side Request Forgery (SSRF) occurs when the model has the ability to make outbound web requests (browsing, retrieval, RAG, plugin tools) and an attacker can steer those requests at attacker-chosen targets - typically internal services, cloud metadata endpoints, or arbitrary external hosts.
How we test: We ask the LLM to fetch a small set of URLs designed to detect SSRF: AWS / GCP cloud metadata endpoints (169.254.169.254), Escape's out-of-band collector at ssrf.tools.escape.tech with a unique per-probe identifier, and internal IP probes. Confirmation uses two independent signals - either is sufficient on its own: (a) the response body contains AWS / GCP metadata markers (e.g. instance-id, iam, identity-credentials) or Escape's capture specifier H@k3d!, or (b) the OOB collector API confirms a callback was received tagged with our per-probe identifier. We also try a gopher:// scheme variant for protocol-smuggling targets.
Every probe emits a context.info event with the full prompt, the redacted response excerpt, and the raw HTTP request/response as attachments, so customers can independently audit what was sent.
References:
- https://genai.owasp.org/llmrisk/llm07-insecure-plugin-design/
- https://cwe.mitre.org/data/definitions/918.html
- https://owasp.org/www-community/attacks/Server_Side_Request_Forgery
Configuration¶
Example¶
Example configuration:
Reference¶
skip¶
Type : boolean
Skip the test if true.