logo

Server Side Request Forgery

  • Risk:
  • High

  • Type:
  • Active
Summary

The web server receives a remote address and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Solution

Do not accept remote addresses as request parameters, and if you must, ensure that they are validated against an allow-list of expected values.

Other info
The canary token from the out-of-band service was found in the response body.
References

https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html

Free security scan for your website