SecureBank
  • About SecureBank
  • A01:2021 – Broken Access Control
    • About
    • Challenges
  • A02:2021 – Cryptographic Failures
    • About
    • Challenges
  • A03:2021 – Injection
    • About
    • Challenges
  • A04:2021 – Insecure Design
    • About
    • Challenges
  • A05:2021 – Security Misconfiguration
    • About
    • Challenges
  • A06:2021 – Vulnerable and Outdated Components
    • About
    • Challenges
  • A07:2021 – Identification and Authentication Failures
    • About
    • Challenges
  • A08:2021 – Software and Data Integrity Failures
    • About
    • Challenges
  • A09:2021 – Security Logging and Monitoring Failures
    • About
  • A10:2021 – Server-Side Request Forgery (SSRF)
    • About
    • Challenges
  • CROSS SITE SCRIPTING (XXS)
    • About
    • Challenges
  • XML External Entities (XXE)
    • About
    • Challenges
  • Miscellaneous
    • Invalid Model
    • Invalid Redirect
    • Directory Browsing
    • Simultaneous Request
    • reDOS
Powered by GitBook
On this page

Was this helpful?

  1. A10:2021 – Server-Side Request Forgery (SSRF)

Challenges

PreviousAboutNextAbout

Last updated 2 years ago

Was this helpful?

CWE-918: Server-Side Request Forgery (SSRF)

REST API exposes an endpoint, which allows the user to upload arbitrary profile picture. Because the URL that user provides is not checked, they may send any GET request on behalf of the server. This may have unintended consequences, such as accessing assets inside VPN network, or content protected from the outside requests by firewalls.