CWE-918

GPTKB entity

Statements (23)
Predicate Object
gptkbp:instanceOf gptkb:Common_Weakness_Enumeration
gptkbp:category Software Weakness
gptkbp:consequence Information Disclosure
Access to Internal Resources
Bypass of Security Controls
gptkbp:describes The software constructs all or part of a request to another system, but does not sufficiently validate or sanitize user-controllable data before sending the request.
gptkbp:example An attacker supplies a URL to an internal resource, causing the server to make a request to that resource.
gptkbp:externalLink https://cwe.mitre.org/data/definitions/918.html
gptkbp:foundIn APIs
Web Applications
https://www.w3.org/2000/01/rdf-schema#label CWE-918
gptkbp:mitigatedBy Validate and sanitize all user-supplied input used in requests.
Restrict network access from the application server.
Use allow-lists for URLs or hosts.
gptkbp:name gptkb:Server-Side_Request_Forgery_(SSRF)
gptkbp:relatedTo gptkb:CWE-601
CWE-610
OWASP Top 10 A10:2021
gptkbp:status Draft
gptkbp:vulnerableTo 918
gptkbp:weakness gptkb:Base
gptkbp:bfsParent gptkb:Server-Side_Request_Forgery_(SSRF)
gptkbp:bfsLayer 6