greenido1
commented
5 months ago - It's a demo project and it's not deployed in the wild/production.
- Since it was just for demoing the capabilities we tried to keep the code as short as possible.
On Thu, Mar 28, 2024 at 5:29 AM Malte @.***> wrote:
Hi!
The supplied proxies:
- https://github.com/greenido/backbone-bira/blob/master/test-page/prox.php
https://github.com/greenido/backbone-bira/blob/master/test-page/proxy.php
https://github.com/greenido/backbone-bira/blob/master/server/birra/war/test/prox.php
- …
don't filter the input. Therefore they can be used to request e.g. localhost (including other services running on the machine) or other unwanted targets. This is called SSRF: https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/
I am aware that this project is a demo project, but if I got the README right, it seems like this is deployed in the wild as well?
Best
— Reply to this email directly, view it on GitHub https://github.com/greenido/backbone-bira/issues/2, or unsubscribe https://github.com/notifications/unsubscribe-auth/AMWX4FJ6TVWSNLJY3A3QHYDY2P5IDAVCNFSM6AAAAABFMWBYTWVHI2DSMVQWIX3LMV43ASLTON2WKOZSGIYTGMJRHA2DCOA . You are receiving this because you are subscribed to this thread.Message ID: @.***>
Hi!
The supplied proxies:
don't filter the input. Therefore they can be used to request e.g. localhost (including other services running on the machine) or other unwanted targets. This is called SSRF: https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/
I am aware that this project is a demo project, but if I got the README right, it seems like this is deployed in the wild as well?
Best