ZAP – Server Side Request Forgery

Details
Alert ID	40046
Alert Type	Active
Status	beta
Risk	High
CWE	918
WASC	20
Technologies Targeted	All
Tags	CWE-918 HIPAA OUT_OF_BAND OWASP_2021_A10 PCI_DSS POLICY_DEV_FULL POLICY_PENTEST POLICY_QA_FULL POLICY_SEQUENCE WSTG-V42-INPV-19
More Info	Scan Rule Help

Summary

The web server receives a remote address and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Solution

Do not accept remote addresses as request parameters, and if you must, ensure that they are validated against an allow-list of expected values.

Other Info

The canary token from the out-of-band service was found in the response body.

References

https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html

Code

org/zaproxy/zap/extension/ascanrulesBeta/SsrfScanRule.java