Cats

All Tests / Test 3770

Test Id

Test 3770

Test Trace Id

0ba7c700-cc9e-41a9-9f8b-5b6eb5d86179

Timestamp

Tue, 23 Jun 2026 21:32:56 GMT

Scenario

Send SSRF payload in URL field [destinationPort]: [http://localhost:27017]

Expected Result

Should return 4XX

Result

error

Result Details

The following keywords were detected in the response which might suggest an error details leak: [forbidden]

Contract Path

/api/alerts

Fuzzer

SSRFInUrlFields

Full Request Path

https://qa-api.puk3p.online/api/alerts

Http Method

post

Request Details

Payload

{
  "severity": "HIGH",
  "destinationPort": "http://localhost:27017",
  "sourcePort": 5353,
  "packetCount": 230,
  "description": "Traffic burst above baseline",
  "type": "UDP_FLOOD_SUSPECTED",
  "deviceId": "7c9e6679-7425-40de-944b-e07fc1f90ae7",
  "destinationIp": "192.168.1.10",
  "bytesCount": 120000,
  "protocol": "UDP",
  "sourceIp": "10.10.10.2",
  "windowSeconds": 5,
  "timestamp": "2026-06-01T10:00:05Z"
}

Request Details

Headers

[
  {
    "key": "Accept",
    "value": "application/json"
  },
  {
    "key": "Content-Type",
    "value": "application/json"
  },
  {
    "key": "User-Agent",
    "value": "cats/13.8.1-SNAPSHOT (Test 3770 - SSRFInUrlFields)"
  },
  {
    "key": "X-Cats-Trace-Id",
    "value": "0ba7c700-cc9e-41a9-9f8b-5b6eb5d86179"
  }
]

Request Details

cURL

curl  -X POST \
     -H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "User-Agent: cats/13.8.1-SNAPSHOT (Test 3770 - SSRFInUrlFields)" \
-H "X-Cats-Trace-Id: 0ba7c700-cc9e-41a9-9f8b-5b6eb5d86179" \
 \
      -d '{"severity":"HIGH","destinationPort":"http://localhost:27017","sourcePort":5353,"packetCount":230,"description":"Traffic burst above baseline","type":"UDP_FLOOD_SUSPECTED","deviceId":"7c9e6679-7425-40de-944b-e07fc1f90ae7","destinationIp":"192.168.1.10","bytesCount":120000,"protocol":"UDP","sourceIp":"10.10.10.2","windowSeconds":5,"timestamp":"2026-06-01T10:00:05Z"}' \
      https://qa-api.puk3p.online/api/alerts

Response

{
  "responseCode": 403,
  "httpMethod": "POST",
  "responseTimeInMs": "140",
  "numberOfWordsInResponse": "1",
  "numberOfLinesInResponse": "1",
  "contentLengthInBytes": "94",
  "jsonBody": {
    "timestamp": "2026-06-23T21:32:56.368Z",
    "status": 403,
    "error": "Forbidden",
    "path": "/api/alerts"
  },
  "headers": [
    {
      "key": "cache-control",
      "value": "no-cache, no-store, max-age=0, must-revalidate"
    },
    {
      "key": "content-type",
      "value": "application/json"
    },
    {
      "key": "date",
      "value": "Tue, 23 Jun 2026 21:32:56 GMT"
    },
    {
      "key": "expires",
      "value": "0"
    },
    {
      "key": "pragma",
      "value": "no-cache"
    },
    {
      "key": "server",
      "value": "nginx/1.24.0 (Ubuntu)"
    },
    {
      "key": "strict-transport-security",
      "value": "max-age=31536000 ; includeSubDomains"
    },
    {
      "key": "vary",
      "value": "Origin"
    },
    {
      "key": "x-content-type-options",
      "value": "nosniff"
    },
    {
      "key": "x-frame-options",
      "value": "DENY"
    },
    {
      "key": "x-xss-protection",
      "value": "0"
    }
  ],
  "responseContentType": "application/json"
}

CATS Replay

cats replay Test3770