Server-Side & Network

Server-SideNetwork SecuritySSRFFile Upload

Server-Side & Network vulnerabilities at a glance

What it is: Vulnerabilities in server-side processing and network interactions, including server-side request forgery, HTTP protocol exploits, insecure file operations, and path traversal attacks.
Why it happens: Server-side and network vulnerabilities generally stem from improper validation of user-supplied input, weak segregation of internal and external resources, and overly permissive network or server configurations.
How to fix: Enforce strict input validation and allowlisting, apply robust boundary and access controls, and configure servers and network policies securely to limit unintended exposure.

Overview

Server-side and network vulnerabilities exploit how applications process requests, interact with external systems, and handle file operations. These attacks target the server infrastructure and network communications rather than the application logic itself.

Server-Side Request Forgery (SSRF) tricks servers into making requests to internal systems. HTTP Request Smuggling exploits inconsistencies in how proxies and servers parse requests. Response Splitting injects headers to manipulate caching and routing. File Upload vulnerabilities allow attackers to upload malicious files that execute on the server. Directory Traversal attacks manipulate file paths to access files outside intended directories. These vulnerabilities are particularly dangerous because they can bypass network security controls and access systems that should be isolated.

sequenceDiagram participant Attacker participant App as Web Server participant Internal as Internal Service Attacker->>App: GET /fetch?url=http://169.254.169.254/metadata App->>Internal: HTTP GET to cloud metadata service Internal-->>App: AWS/Azure credentials App-->>Attacker: 200 OK (cloud credentials) Note over App: Missing: URL validation<br/>Missing: Internal IP blocking<br/>Missing: Allowlist enforcement
A potential flow for a Server-Side & Network exploit

Where it occurs

These vulnerabilities typically appear in components that handle external input, manage network communications, or bridge internal and external systems, where improper validation or configuration can expose sensitive resources or functionality.

Impact

Server-side and network vulnerabilities can lead to data exfiltration, internal access, remote code execution, service disruption, and security control bypass.

Prevention

Prevent issues by validating URLs against approved domains, blocking access to private networks, and isolating internal services through network segmentation.

Specific Vulnerabilities

Explore specific vulnerability types within this category:

Directory Traversal

User controlled paths escape an intended directory and access files elsewhere on the server.

Path Traversal File Disclosure Local File Inclusion
6 code examples
Learn more →

GraphQL Vulnerabilities

Security vulnerabilities specific to GraphQL APIs including excessive data exposure through nested queries, denial of service via query complexity, missing authorization on fields, and introspection-based reconnaissance.

GraphQL GraphQL DoS GraphQL Injection +1 more
2 code examples
Learn more →

HTTP Request Smuggling

When intermediaries (CDNs, proxies, load balancers) and origin servers disagree about where an HTTP request ends, attackers can craft requests that one component treats as one request and another treats as two or more. This mismatch allows attackers to 'smuggle' a request past the front end and have it processed in another user's context.

Request Desync Smuggling
6 code examples
Learn more →

Server Side Request Forgery (SSRF)

The server makes a network request to an attacker-chosen URL. Attackers reach internal services, read metadata endpoints, or pivot protocols.

Blind SSRF URL Fetch Abuse
6 code examples
Learn more →

Detect These Vulnerabilities in Your Code

Sourcery automatically identifies server-side & network and related vulnerabilities in your codebase.

Scan Your Code for Free