Jump to content

Server-side request forgery

From Wikipedia, the free encyclopedia
This is an old revision of this page, as edited by Ronykris22 (talk | contribs) at 06:03, 6 May 2020. The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

In computer security, server-side request forgery (SSRF) is a type of exploit where an attacker abuses the functionality of a server causing it to access or manipulate information in the realm of that server that would otherwise not be directly accessible to the attacker.[1]

Similar to cross-site request forgery which utilises a web client, for example, a web browser, within the domain as a proxy for attacks; an SSRF attack utilizes an insecure server within the domain as a proxy.

Types of SSRF -

i. Basic SSRF: Here the response is displayed to the attacker.

ii. Blind SSRF: Here the response is not displayed to the attacker. (Difficult to detect at first sight)

Basic SSRF:

In this type of attack the response is displayed to the attacker. The server fetches the URL requested by the attacker and sends the response back to the attacker.

If a parameter of a url is vulnerable to this attack. It is possible the attacker can device ways to interact with the server directly (ie: via 127.0.0.1 or localhost) or with the backend servers that are not accessible by the external users.

Blind SSRF:

In this type of attack the response is not sent back to the attacker. Therefore, the attacker has to device ways to confirm this vulnerability.

References

  1. ^ "The Open Web Application Security Project". OWASP.org. Retrieved 23 July 2018.
Stub icon

This computer security article is a stub. You can help Wikipedia by expanding it.

Retrieved from "https://en.wikipedia.org/w/index.php?title=Server-side_request_forgery&oldid=955148058"