Server Side Request Forgery

Risk:
High

Type:
Active

CWE:
CWE-918

Summary: The web server receives a remote address and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Solution: Do not accept remote addresses as request parameters, and if you must, ensure that they are validated against an allow-list of expected values.

Other info: The canary token from the out-of-band service was found in the response body.

References: https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html

Free security scan for your website

Don't show website scan report rating on the leaderboard