SYM_PHP_0015 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Server-Side Request Forgery (SSRF)
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-918: Server-Side Request Forgery (SSRF) |
| OWASP | A10:2021 - Server-Side Request Forgery (SSRF) |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
Description
The application uses user-supplied input (such as GET, POST, COOKIE, or REQUEST data) directly in functions that make server-side HTTP requests (like curl, fopen, or file_get_contents) without proper validation. This allows attackers to control server-side requests and potentially access internal resources.
Impact
If exploited, attackers could make your server send requests to internal services, cloud metadata endpoints, or other sensitive systems, leading to data exposure, unauthorized actions, or further attacks against your infrastructure. This could compromise confidential data and put the entire environment at risk.