Facebook Designed a New Tool for Finding SSRF Vulnerabilities

On Thursday, Facebook launched a new tool to aid security researchers in their search for Server-Side Request Forgery (SSRF) flaws.

A SSRF attack, according to the OWASP definition, allows an attacker to access or edit internal resources by abusing a server’s functionality.

“By carefully picking the URLs, the attacker may be able to retrieve server configuration such as AWS information, connect to internal services like http enabled databases, or make post requests towards internal services that are not supposed to be exposed,” OWASP adds.

The new Facebook tool, dubbed SSRF Dashboard, has a simple UI that allows researchers to define unique internal endpoint URLs for targeting and then see if those URLs have been hit during an SSRF attempt.

The tool displays the creation date, a unique ID, and the amount of hits the URL has received in addition to the created unique SSRF attempt URL, which is presented in a table with other URLs.

Security researchers will be able to reliably verify whether their SSRF proof-of-concept (PoC) code was successful with the new tool, according to the social media platform, because only successful PoCs receive hits.

Researchers that hunt for and uncover SSRF vulnerabilities are encouraged to provide the ID of the SSRF attempt URL, as well as the proof-of-concept, in their reports.

SEE ALSO:
WhatsApp Vulnerability Allow MP4 File Code Execution

“Server Side Request Forgery (SSRF) vulnerabilities are among the most difficult to identify,” Facebook writes, “since external researchers aren’t able to directly detect the server’s vulnerable behaviour.”

Here you may find more information about the tool and how to use it, as well as information on the social media platform’s bug bounty programme.

Leave a Reply
Previous Post
RMM software

What is Kentrox RMM 1400?

Next Post
Remotely Access

How to Secure Remote Desktop from Malware?

Related Posts