Sensitive AWS details exposed via replacing file param due to SSRF
The endpoint appears to be vulnerable to Server Side Request Forgery attack. The original request was replayed by replacing file parameter with sensitive file path. The application responded with 2XX success code and also gave out sensitive AWS information in response.
Server Side Request Forgery (SSRF)
How this template works
The API selection filters in this template specify the conditions that the API request must meet in order to be selected for execution. In this case, the filters check for a response code between 200 and 204 (inclusive) and also look for the presence of a "file" parameter either in the request payload or query parameters.
The execute section of the template defines the type of request to be executed (in this case, a single request) and provides the necessary modifications to the query parameter and body parameter. In this example, the "file_key" parameter is modified to have the value "///etc/passwd".
The validation section specifies the conditions that the response must meet in order to be considered valid. It checks for a response code between 200 and 299 (inclusive) and also uses a regular expression to validate the response payload, ensuring that it matches the pattern "root:.*:0:0:".
Frequently asked questions
What is SSRF (Server Side Request Forgery) and how does it pose a security risk
How does this test identify SSRF vulnerabilities related to file parameters
What is the impact of successfully exploiting an SSRF vulnerability in this test
What are the selection filters used to identify potential SSRF vulnerabilities in this test
How does the test modify the request to simulate an SSRF attack
What validation criteria are used to determine if the test was successful