Facebook launched a new tool on Thursday to assist security researchers in the hunt for Server-Side Request Forgery (SSRF) vulnerabilities. A SSRF attack, as defined by OWASP, allows an attacker to access or edit internal resources by abusing a server’s capabilities.
“The attacker can supply or modify a URL that the code running on the server will read or submit data to,” OWASP explains. “By carefully selecting the URLs, the attacker may be able to read server configuration such as AWS metadata, connect to internal services such as http enabled databases, or perform post requests towards internal services that are not intended to be exposed.”
The new Facebook software, dubbed SSRF Dashboard, has a simple UI that allows researchers to define unique internal endpoint URLs for targeting and then determine whether their URLs were hit during an SSRF attempt.
The tool provides the creation date, a unique ID, and the amount of visits the URL has received, in addition to the created unique SSRF attempt URL, which is presented in a table with other URLs.
According to the social media platform, using the new tool, security researchers may accurately identify whether their SSRF proof-of-concept (PoC) code was successful, because only successful PoCs receive hits.
Facebook encourages researchers who seek for and find SSRF vulnerabilities to provide the ID of the SSRF attempt URL, as well as the PoC, in their reports.
“Server Side Request Forgery (SSRF) vulnerabilities are among the most difficult to identify, because external researchers aren’t able to notice the server’s susceptible behaviour directly,” Facebook says.
More information on the tool and how to use it, as well as information about the social media platform’s bug bounty programs, can be found here.