Server-Side Request Forgery (SSRF)
ID |
scala.ssrf.scala_ssrf_rule_playssrf |
Severity |
high |
Resource |
Ssrf |
Language |
Scala |
Description
Server-Side Request Forgery occur when a web server executes a request to a user supplied destination parameter that is not validated. Such vulnerabilities could allow an attacker to access internal services or to launch attacks from your web server.
Rationale
Server-Side Request Forgery occur when a web server executes a request to a user supplied destination parameter that is not validated. Such vulnerabilities could allow an attacker to access internal services or to launch attacks from your web server.
The following code illustrates a vulnerable pattern detected by this rule:
def unsafe(ws: WSClient, url: String, input: String): Unit = {
// VULNERABLE: Server-Side Request Forgery (SSRF)
ws.url(url + "?query=abc")
// VULNERABLE: Server-Side Request Forgery (SSRF)
ws.url(url)
val internal = "https://test.com"
// VULNERABLE: Server-Side Request Forgery (SSRF)
ws.url(internal + input)
}Remediation
Follow secure coding practices and review the references below for detailed remediation guidance.
References
-
OWASP Top 10 2021 - A10 : Server-Side Request Forgery.