REALSTEVEIG
commented
2 years ago Yes its really lacking in that sense.
Open js-kyle opened 5 years ago
REALSTEVEIG
commented
2 years ago Yes its really lacking in that sense.
SSRF (Server Side Request Forgery) vulnerability allows an attacker to change a parameter used on the Node.js application to create or control requests from the vulnerable server.
This introduces attack vectors such as
The example could show the use of a whitelist of allowed domains and protocols from where the Node.js can fetch remote resources (and mention to avoid the use of user provided url's unless really required)