A10: Server-Side Request Forgery (SSRF)

Trick the server into making a request to an internal service that it should not have access to.

Interactive Simulation

An "Import from URL" feature can be abused to make the server request internal resources.

How to Simulate

Normal Behavior: Click the "External Image URL" button, then "Import" to see the feature's intended, successful response.
The Attack: Now, click the "Internal Service URL" button and then "Import". Observe that the server returns the content of the internal service, leaking information.
Enable Defense: Enable 'Input Validation' and attempt to import the "Internal Service URL" again.
Verify Defense: The server now checks the URL and blocks the request, preventing the SSRF attack.

Select URL to send to the server's import function:

Explanation

SSRF flaws occur when a web application fetches a remote resource without validating the user-supplied URL. It allows an attacker to coerce the application to send a crafted request to an unexpected destination, even when protected by a firewall or VPN.

This can be used to access internal services, read local files, or scan the internal network for other vulnerabilities.

Toggle Defense

Input Validation (Block Internal IPs)

When ON, the server checks the provided URL against a block-list of internal IP addresses and hostnames (like `127.0.0.1` and `localhost`). If a match is found, the request is rejected before it can be made.