SYM_JSTS_0043 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Server-Side Request Forgery (SSRF)
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-918: Server-Side Request Forgery (SSRF) |
| OWASP | A10:2021 - Server-Side Request Forgery (SSRF) |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Medium |
Description
Passing user-controlled data directly into Puppeteer methods like page.goto or page.evaluate allows attackers to make the server perform unintended actions or requests. This exposes your server to Server-Side Request Forgery (SSRF) risks if data from request bodies, headers, or query parameters is used without validation.
Impact
If exploited, attackers could force your server to make requests to internal systems or external sites, potentially accessing sensitive data, internal APIs, or cloud metadata. This can lead to data breaches, unauthorized actions, or using your infrastructure to attack other services.