Skip to content

SSRF Injection in headers

Description

SSRF flaws occur whenever a web application is fetching a remote resource without validating the user-supplied URL. It allows an attacker to coerce the application to send a crafted request to an unexpected destination, even when protected by a firewall, VPN, or another type of network access control list (ACL).

Remediation

How to prevent:

  • Segment remote resource access functionality in separate networks to reduce the impact of SSRF.
  • Sanitize and validate all client-supplied input data.
  • Enforce the URL schema, port, and destination with a positive allow list.
  • Disable HTTP redirections.

REST Specific

Asp_net To mitigate SSRF injection in headers within an ASP.NET application, validate and sanitize all user-supplied input, including URLs. Implement a whitelist of allowed domains and schemes, and ensure that any URL fetching is performed using a secure method that does not expose sensitive server-side resources. Additionally, consider using built-in .NET libraries like `HttpClient` with predefined request headers and avoid concatenating user input into URLs. Employ network-level restrictions and review server-side request handling code to ensure it does not inadvertently process user-supplied URLs without proper security checks.
Ruby_on_rails In Ruby on Rails, mitigate SSRF attacks by validating and sanitizing user-supplied URLs before using them to make requests. Employ a whitelist of allowed domains and schemes, and use the 'uri' standard library to parse and validate URLs. Additionally, consider using the 'resolv-replace' library to enforce DNS resolution restrictions and timeouts to prevent internal network probing.
Next_js To mitigate SSRF injection in headers within a Next.js application, ensure that all user-supplied URLs are validated against a strict whitelist of allowed domains and protocols. Implement server-side checks to verify the URL format and use built-in URL parsing libraries to decompose and validate each part of the URL before making any outbound requests. Additionally, consider using a dedicated library for HTTP requests that provides SSRF protection features, and restrict outgoing traffic from the server to only necessary services to minimize the attack surface.
Laravel In Laravel, to mitigate SSRF injection in headers, validate and sanitize all user-supplied URLs before using them to fetch resources. Employ Laravel's built-in validation rules, such as 'url' or 'active_url', to ensure the URL is valid. Additionally, restrict outgoing requests to a predefined list of allowed domains and implement network-level controls to prevent requests to internal resources. Use GuzzleHttp client with caution, and avoid passing user input directly to the client. Always keep Laravel and its dependencies up to date to benefit from the latest security enhancements.
Express_js To mitigate SSRF injection in headers within an Express.js application, ensure that all user-supplied URLs are validated against a whitelist of allowed domains and URL patterns. Implement strict input validation, use a dedicated library for URL parsing, and avoid passing user-controlled data to networking functions. Additionally, consider using a server-side request proxy that restricts outgoing traffic to known-safe destinations, and employ network-level security measures to prevent unauthorized internal network access.
Django In Django, to mitigate SSRF vulnerabilities, ensure that any user-supplied URLs are validated against a whitelist of allowed domains. Use Django's URLValidator for basic validation, and consider implementing more robust checks tailored to your application's logic. Additionally, limit outgoing requests to only necessary protocols and domains, and apply strict timeout and error handling to prevent misuse of the application's ability to make HTTP requests.
Symfony In Symfony, to mitigate SSRF injection in headers, ensure that any user-supplied URLs are validated against a whitelist of allowed domains and schemes. Use Symfony's built-in validation constraints, such as 'Url' and 'Choice', to enforce this. Additionally, avoid directly passing user-controlled data to functions that perform HTTP requests. Implement service wrappers that sanitize and validate all input, and consider using a dedicated library to handle URL fetching that has built-in security features.
Spring_boot In Spring Boot applications, to mitigate SSRF attacks, validate and sanitize all user-supplied URLs before using them to initiate a connection to a remote resource. Implement a whitelist of allowed domains and schemes, and reject any requests that do not match the criteria. Additionally, consider using Spring Security's built-in protections and avoid disclosing sensitive information through error messages.
Flask To mitigate SSRF injection in headers within a Flask application, ensure that all user-supplied URLs are validated against a whitelist of allowed domains and schemes. Use a dedicated library or function to parse and sanitize URLs before using them in network requests. Additionally, consider implementing network-level restrictions to limit the range of accessible resources by the server, and avoid disclosing sensitive information through error messages.
Nuxt In Nuxt.js, to mitigate SSRF injection in headers, ensure that all user-supplied URLs are validated against a whitelist of allowed domains and URL patterns. Implement server-side checks to sanitize and verify the legitimacy of URLs before using them in any HTTP requests. Additionally, consider using built-in Nuxt.js modules or third-party libraries designed to secure HTTP requests and prevent SSRF by default.
Fastapi In FastAPI, to mitigate SSRF injection in headers, ensure that all user-supplied URLs are validated against a strict whitelist of allowed domains and schemes. Use built-in FastAPI dependencies to create reusable validators for URL inputs. Additionally, employ network-level security measures such as proper firewall configurations to restrict outbound traffic to trusted services only.
Frappe Implement strict URL validation and whitelisting for any user-supplied URLs to prevent SSRF vulnerabilities in the Frappe framework.
Genzio Implement strict URL validation and whitelisting for any user-supplied URLs in the Genzio framework engine to prevent SSRF attacks.
Gin Validate and sanitize all user-supplied URLs in the Gin framework to ensure they only allow requests to trusted domains, and consider using a whitelist of allowed domains.
Gorilla Implement strict allowlist validation for URLs and sanitize user inputs to prevent unauthorized requests.
Hapi Validate and sanitize all user-supplied URLs in the Hapi framework by using a whitelist of allowed domains and implement strict input validation to prevent SSRF attacks.
Hono Implement strict allowlist validation for URLs in headers to prevent SSRF attacks in the Hono framework engine.
Jersey Validate and sanitize all user-supplied URLs in the Jersey framework to ensure they only access allowed domains and resources.
Koa Validate and sanitize all user-supplied URLs in the Koa framework to ensure they only allow requests to trusted domains. Implement strict whitelisting and use libraries like 'validator' to prevent SSRF attacks.
Ktor Validate and sanitize all user-supplied URLs in headers to ensure they only point to allowed destinations, and consider using a whitelist of trusted domains.
Leptos Implement strict URL validation and whitelisting to ensure only trusted domains are accessible, and sanitize user inputs to prevent malicious URL crafting in the Leptos framework.
Macaron Validate and sanitize all user-supplied URLs in the Macaron framework to ensure they only allow requests to trusted domains, and consider using a whitelist approach to restrict outbound requests.
Phoenix Validate and sanitize all user-supplied URLs in Phoenix Framework to ensure they only point to allowed destinations, and use a whitelist approach to restrict external requests.
Redwoodjs Validate and sanitize user-supplied URLs in RedwoodJS applications to ensure they only point to allowed domains, and use server-side request libraries that support URL whitelisting or blacklisting to prevent SSRF attacks.
Rocket Implement strict URL validation and whitelisting to ensure only trusted domains are accessible, and sanitize user inputs to prevent malicious URL crafting in Rocket framework.
Sveltekit Validate and sanitize user-supplied URLs in SvelteKit endpoints to prevent SSRF attacks. Use a whitelist of allowed domains and ensure that requests are only made to these trusted sources.

Configuration

Identifier: request_forgery/ssrf_header

Examples

Ignore this check

checks:
  request_forgery/ssrf_header:
    skip: true

Score

  • Escape Severity:

Compliance

  • OWASP: API10:2023
  • OWASP LLM: LLM06:2023
  • pci: 6.5.1
  • gdpr: Article-32
  • soc2: CC1
  • psd2: Article-95
  • iso27001: A.14.2
  • nist: SP800-53
  • fedramp: AC-4

Classification

  • CWE: 918

Score

  • CVSS_VECTOR: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
  • CVSS_SCORE: 7.3