Server Side Request Forgery
- Risk:
High
- Type:
- Active
- CWE:
- 918
- Summary
- The web server receives a remote address and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
- Solution
- Do not accept remote addresses as request parameters, and if you must, ensure that they are validated against an allow-list of expected values.
- Other info
- The canary token from the out-of-band service was found in the response body.