Facebook Launched SSRF Dashboard Tool Helps Spot SSRF Bugs

The social media giant Facebook has recently announced the release of a new security tool. Named “SSRF Dashboard,” this tool from Facebook can detect server-side request forgery (SSRF) vulnerabilities directly.

Facebook SSRF Dashboard Tool

Sharing the news via a post on its Bug Bounty page, Facebook has announced a new security tool, “SSRF Dashboard.” As the tech giant claims, this new tool can help researchers identify SSRF vulnerabilities with ease.

Server-Side Request Forgery (SSRF) is a kind of web application server attack that exploits servers to establish spoofed connections. Such attacks execute successfully due to improper validation checks for incoming requests at the server’s end. (This is different from the client-side request forgery (CSRF), where the vulnerabilities exist at the client’s end.)

Exploiting an SSRF flaw requires an attacker to supply malicious URLs that will trigger the code at the server to get the required data. This ranges from achieving access to internal databases and AWS metadata to sending POST requests to internal offline services.

That’s what Facebook’s SSRF Dashboard tool addresses. As described in the post,

This tool is a simple UI where researchers can generate unique internal endpoint URLs for targeting. The UI will then show the number of times these unique URLs have been hit as a result of a SSRF attempt.

Besides generating URLs, this tool also provides the researchers with various details tabulated for better analysis. These may include the creation date and the unique ID for the SSRF attempt URL, along with the number of hits. Researchers can include the unique IDs in their bug reports alongside the PoC when submitting SSRF bug reports to Facebook.

Researchers can find more details about using the tool and the configurations on Facebook’s Whitehat Researcher Settings page. The service launched this dedicated settings page back in 2019 to facilitate researchers while testing Facebook apps.

Let us know your thoughts in the comments.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients