Facebook announced to have designed a new tool, named SSRF Dashboard, that allows security researchers to search for Server-Side Request Forgery (SSRF) vulnerabilities.
Server-side request forgery is a web security vulnerability that allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain chosen by the attacker.
“In a typical SSRF attack, the attacker might cause the server to make a connection to internal-only services within the organization’s infrastructure. In other cases, they may be able to force the server to connect to arbitrary external systems, potentially leaking sensitive data such as authorization credentials.”
“This tool is a simple UI where researchers can generate unique internal endpoint URLs for targeting. The UI will then show the number of times these unique URLs have been hit as a result of a SSRF attempt. Researchers can leverage this tool as part of their SSRF proof of concept to reliably determine if they have been successful.” states Facebook.
SSRF Dashboard allows researchers to create unique internal endpoint URLs that could be targeted by SSRF attacks and determine if they have been hit. The tool allows researchers to test their SSRF proof-of-concept (PoC) code.
Pentesters could report any SSRF flat to the company by including the ID of the SSRF attempt url that they used along with their PoC.
Additional information on the utility can be found here.
Follow me on Twitter: @securityaffairs and Facebook
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, SSRF)
[adrotate banner=”5″]
[adrotate banner=”13″]
A former U.S. NSA employee has been sentenced to nearly 22 years in prison for…
A new malware named Cuttlefish targets enterprise-grade and small office/home office (SOHO) routers to harvest…
A flaw in the R programming language enables the execution of arbitrary code when parsing…
The China-linked threat actors Muddling Meerkat are manipulating DNS to probe networks globally since 2019.…
Finnish hacker was sentenced to more than six years in prison for hacking into an…
The US government’s cybersecurity agency CISA published a series of guidelines to protect critical infrastructure…
This website uses cookies.