Facebook announced to have designed a new tool, named SSRF Dashboard, that allows security researchers to search for Server-Side Request Forgery (SSRF) vulnerabilities.
Server-side request forgery is a web security vulnerability that allows an attacker to induce the server side application to make HTTP requests to an arbitrary domain chosen by the attacker.
The attacker might cause the server to make a connection to internal only services within the organization’s infrastructure. In other cases, they may be able to force the server to connect to arbitrary external systems, potentially leaking sensitive data such as authorization credentials.
This tool is a simple UI where researchers can generate unique internal endpoint URLs for targeting. The UI will then show the number of times these unique URLs have been hit as a result of a SSRF attempt. Researchers can leverage this tool as part of their SSRF proof of concept to reliably determine if they have been successful.
SSRF Dashboard allows researchers to create unique internal endpoint URLs that could be targeted by SSRF attacks and determine if they have been hit. The tool allows researchers to test their SSRF PoC code.
Pentesters could report any SSRF flat to the company by including the ID of the SSRF attempt url that they used along with their PoC.