Details
Alert ID 40046
Alert Type Active
Status beta
Risk High
CWE 918
WASC 20
Technologies Targeted All
Tags CWE-918
OUT_OF_BAND
OWASP_2021_A10
POLICY_DEV_FULL
POLICY_QA_FULL
POLICY_SEQUENCE
WSTG-V42-INPV-19
More Info Scan Rule Help

Summary

The web server receives a remote address and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Solution

Do not accept remote addresses as request parameters, and if you must, ensure that they are validated against an allow-list of expected values.

Other Info

The canary token from the out-of-band service was found in the response body.

References

Code

org/zaproxy/zap/extension/ascanrulesBeta/SsrfScanRule.java