Request Forgery: Server Side Request Forgery¶
Identifier:
ssrf
Scanner(s) Support¶
| GraphQL Scanner | REST Scanner | WebApp Scanner | ASM Scanner |
|---|---|---|---|
Description¶
Server Side Request Forgery vulnerabilities occur when applications send requests to URLs provided by users without proper validation, allowing attackers to direct requests to internal services or restricted resources, bypassing security boundaries.
How we test: We inject SSRF payloads containing URLs pointing to internal services or our callback server into request parameters and analyze responses to detect if requests are made to the specified URLs. We test for various SSRF attack vectors including internal network scanning, cloud metadata access, and callback verification.
Important note: to ensure this test works, you need the ssrf.tools.escape.tech domain to be allowed in your WAF/Firewall egress rules. This is so that Escape can get a ping back from your application server.
Execution conditions (BLST):
- Static SSRF checks are run first.
- Active SSRF fuzzing then runs when this test is enabled, arguments are present, and coverage is not SERVER_UNREACHABLE, TIMEOUT, RATE_LIMIT, UNAUTHORIZED, REDIRECTION, or GENERIC_ERROR.
Configuration¶
Example¶
Example configuration:
Reference¶
skip¶
Type : boolean
Skip the test if true.