Facebook SSRF Dashboard allows hunting SSRF vulnerabilities

Facebook developed a new tool that allows security experts to look for Server-Side Request Forgery (SSRF) vulnerabilities in their software.

Facebook announced to have designed a new tool, named SSRF Dashboard, that allows security researchers to search for Server-Side Request Forgery (SSRF) vulnerabilities.

Server-side request forgery is a web security vulnerability that allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain chosen by the attacker.

“In a typical SSRF attack, the attacker might cause the server to make a connection to internal-only services within the organization’s infrastructure. In other cases, they may be able to force the server to connect to arbitrary external systems, potentially leaking sensitive data such as authorization credentials.”

“This tool is a simple UI where researchers can generate unique internal endpoint URLs for targeting. The UI will then show the number of times these unique URLs have been hit as a result of a SSRF attempt. Researchers can leverage this tool as part of their SSRF proof of concept to reliably determine if they have been successful.” states Facebook.

SSRF Dashboard allows researchers to create unique internal endpoint URLs that could be targeted by SSRF attacks and determine if they have been hit. The tool allows researchers to test their SSRF proof-of-concept (PoC) code.

Pentesters could report any SSRF flat to the company by including the ID of the SSRF attempt url that they used along with their PoC.

Additional information on the utility can be found here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, SSRF)

[adrotate banner=”5″]

[adrotate banner=”13″]