Server-Side Request Forgery (SSRF)
Description
Server-Side Request Forgery occur when a web server executes a request to a user supplied destination parameter that is not validated. Such vulnerabilities could allow an attacker to access internal services or to launch attacks from your web server.
Examples
Insecure Code
scala
val wsClient = WSClient()
wsClient.url(userInput)Secure Code
scala
val wsClient = WSClient()
val validatedUrl = validateUserInput(userInput)
wsClient.url(validatedUrl)Remediation
Validate user-supplied destination parameters to prevent Server-Side Request Forgery (SSRF) attacks. Ensure that the URL is properly sanitized and does not contain any malicious input.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0067 |
| Category | Web |
| Severity | MEDIUM |
| CWE | CWE-918 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | SSRF, Server-Side Request Forgery |
| OWASP | N/A |