-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathServerSideRequestForgery-end.inc.qhelp
More file actions
47 lines (39 loc) · 1.71 KB
/
ServerSideRequestForgery-end.inc.qhelp
File metadata and controls
47 lines (39 loc) · 1.71 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<recommendation>
<p>To guard against SSRF attacks you should avoid putting user-provided input directly
into a request URL. Instead, either maintain a list of authorized URLs on the server and choose
from that list based on the input provided, or perform proper validation of the input.
</p>
</recommendation>
<example>
<p>The following example shows code vulnerable to a full SSRF attack, because it
uses untrusted input (HTTP request parameter) directly to construct a URL. By using
<code>evil.com#</code> as the <code>target</code> value, the requested URL will be
<code>https://evil.com#.example.com/data/</code>. It also shows how to remedy the
problem by using the user input select a known fixed string.
</p>
<sample src="examples/ServerSideRequestForgery_full.py" />
</example>
<example>
<p>
The following example shows code vulnerable to a partial SSRF attack, because it
uses untrusted input (HTTP request parameter) directly to construct a URL. By
using <code>../transfer-funds-to/123?amount=456</code> as the
<code>user_id</code> value, the requested URL will be
<code>https://api.example.com/transfer-funds-to/123?amount=456</code>. It also
shows how to remedy the problem by validating the input.
</p>
<sample src="examples/ServerSideRequestForgery_partial.py" />
</example>
<references>
<li>
<a href="https://owasp.org/www-community/attacks/Server_Side_Request_Forgery">OWASP SSRF article</a>
</li>
<li>
<a href="https://portswigger.net/web-security/ssrf">PortSwigger SSRF article</a>
</li>
</references>
</qhelp>