Request Forgery: Server-Side Request Forgery via File Upload¶
Identifier:
file_upload_ssrf
Scanner(s) Support¶
| GraphQL Scanner | REST Scanner | WebApp Scanner | ASM Scanner |
|---|---|---|---|
Description¶
Server-Side Request Forgery via file upload (CWE-918) occurs when a server-side processor (image resizer, SVG renderer, document converter, XML parser) follows attacker-supplied references inside an uploaded file. Common vectors are SVG xlink:href, SVG <image href>, and XML SYSTEM references.
How we test: For each detected upload endpoint we submit a tiny SVG / XML payload whose embedded reference (xlink:href, <image href>, XML SYSTEM) points at the Escape out-of-band collector at ssrf.tools.escape.tech with a unique per-probe identifier prefixed fu- to disambiguate from the LLM module's SSRF check. The default catalogue does not include cloud metadata IPs. Confirmation is a tagged callback at the OOB collector API.
Every probe emits a context.info event with the raw multipart request and the upload response as attachments.
References:
- https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/
- https://cwe.mitre.org/data/definitions/918.html
Configuration¶
Example¶
Example configuration:
Reference¶
skip¶
Type : boolean
Skip the test if true.