SYM_JSTS_0042 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Server-Side Request Forgery (SSRF)
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-918: Server-Side Request Forgery (SSRF) |
| OWASP | A10:2021 - Server-Side Request Forgery (SSRF) |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Medium |
Description
User-controlled data from HTTP requests is being passed directly to PhantomJS methods in your Express application without validation. This allows attackers to control URLs or content processed by PhantomJS, leading to server-side request forgery (SSRF).
Impact
An attacker could trick your server into making requests to internal or external systems, potentially accessing sensitive data, bypassing firewalls, or aiding in further attacks. This could lead to data breaches, exposure of internal services, or allow attackers to pivot deeper into your network.