chore(API6:2023): Review heading table contents

PauloASilva · PauloASilva · commit dddfab6bb4bd · 2023-05-08T14:29:16.000+01:00
diff --git a/2023/en/src/0xa6-server-side-request-forgery.md b/2023/en/src/0xa6-server-side-request-forgery.md
@@ -4,7 +4,7 @@ API6:2023 Server Side Request Forgery
 | Threat agents/Attack vectors | Security Weakness | Impacts |
 | - | - | - |
 | API Specific : Exploitability **2** | Prevalence **2** : Detectability **1** | Technical **2** : Business Specific |
-| Exploitation requires the attacker to find an API endpoint that receives a URI as a parameter and then accesses the provided URI. URL parsing inconsistencies are well-known for most common programming languages' built-in functions and libraries. | Modern concepts in application development encourage developers to access URIs provided by the client. Usually, server-side data retrieval is not logged, or when it is chances are it isn't being monitored. | Successful exploitation might lead to internal services enumeration (e.g. port scanning) or information disclosure, bypassing firewalls or other security mechanisms. In some cases, it can lead to DoS or the server being used as a proxy to hide malicious activities. |
+| Exploitation requires the attacker to find an API endpoint that receives a URI as a parameter and then accesses the provided URI. In general basic SSRF (when the response is returned to the attacker) is easier to exploit than Blind SSRF in which the attacker has no feedback whether or not the attack was successful. | Modern concepts in application development encourage developers to access URIs provided by the client, whilst URL parsing inconsistencies are well-known for most common programming languages' built-in functions and libraries. Regular API request including special crafted URLs (e.g. internal/private/well-known IP addresses) and response analysis will be required to detect the issue. When the response is not returned (Blind SSRF), confirming the vulnerability requires more effort and creativity. | Successful exploitation might lead to internal services enumeration (e.g. port scanning) or information disclosure, bypassing firewalls or other security mechanisms. In some cases, it can lead to DoS or the server being used as a proxy to hide malicious activities. |
 
 ## Is the API Vulnerable?
 
