Question: what is the difference between arbitrary file download and SSRF?
A lot of web applications are providedGetting data from other serversFunction. Using user specified URL, web application can get pictures, download files, read file contents, etc. If this function is used maliciously, it can take advantage of the defective web application as proxy attack.Remote and local servers。This form of attack is called Server-side Request Forgery.
For example, make the server get local arbitrary files
SSRF It can be used to implement any file download, but it can be used for a higher level of attack, by judging local installed services, so as to exploit vulnerabilities for specific services and even gain complete control.
- (SSRF attack case analysis