The WSO2 API Manager application is prone to SSRF on all Test URI fields on the publisher part of the product.
- WSO2 API Manager 2.6.0
When publishing an API, the backend URL can be defined by the user and can be tested for its availability. This is a functionality provided by API Publisher by design. An HTTP HEAD request is sent to the defined endpoint for the purpose testing the URI, and that will be done only after validating that the URI is based on HTTP or HTTPS protocols. Therefore, there is no possibility to test endpoints that are based on FTP and other protocols. Furthermore, to make it more secure, our recommendation for production deployments is to properly configure network rules to allow traffic from the API Publisher only to the intended destination nodes.