Skip to main content

SSRF Injection in headers

Description

SSRF flaws occur whenever a web application is fetching a remote resource without validating the user-supplied URL. It allows an attacker to coerce the application to send a crafted request to an unexpected destination, even when protected by a firewall, VPN, or another type of network access control list (ACL).

Remediation

How to prevent:

  • Segment remote resource access functionality in separate networks to reduce the impact of SSRF.
  • Sanitize and validate all client-supplied input data.
  • Enforce the URL schema, port, and destination with a positive allow list.
  • Disable HTTP redirections.

REST Specific

Asp_net

To mitigate SSRF injection in headers within an ASP.NET application, validate and sanitize all user-supplied input, including URLs. Implement a whitelist of allowed domains and schemes, and ensure that any URL fetching is performed using a secure method that does not expose sensitive server-side resources. Additionally, consider using built-in .NET libraries like HttpClient with predefined request headers and avoid concatenating user input into URLs. Employ network-level restrictions and review server-side request handling code to ensure it does not inadvertently process user-supplied URLs without proper security checks.

Ruby_on_rails

In Ruby on Rails, mitigate SSRF attacks by validating and sanitizing user-supplied URLs before using them to make requests. Employ a whitelist of allowed domains and schemes, and use the 'uri' standard library to parse and validate URLs. Additionally, consider using the 'resolv-replace' library to enforce DNS resolution restrictions and timeouts to prevent internal network probing.

Next_js

To mitigate SSRF injection in headers within a Next.js application, ensure that all user-supplied URLs are validated against a strict whitelist of allowed domains and protocols. Implement server-side checks to verify the URL format and use built-in URL parsing libraries to decompose and validate each part of the URL before making any outbound requests. Additionally, consider using a dedicated library for HTTP requests that provides SSRF protection features, and restrict outgoing traffic from the server to only necessary services to minimize the attack surface.

Laravel

In Laravel, to mitigate SSRF injection in headers, validate and sanitize all user-supplied URLs before using them to fetch resources. Employ Laravel's built-in validation rules, such as 'url' or 'active_url', to ensure the URL is valid. Additionally, restrict outgoing requests to a predefined list of allowed domains and implement network-level controls to prevent requests to internal resources. Use GuzzleHttp client with caution, and avoid passing user input directly to the client. Always keep Laravel and its dependencies up to date to benefit from the latest security enhancements.

Express_js

To mitigate SSRF injection in headers within an Express.js application, ensure that all user-supplied URLs are validated against a whitelist of allowed domains and URL patterns. Implement strict input validation, use a dedicated library for URL parsing, and avoid passing user-controlled data to networking functions. Additionally, consider using a server-side request proxy that restricts outgoing traffic to known-safe destinations, and employ network-level security measures to prevent unauthorized internal network access.

Django

In Django, to mitigate SSRF vulnerabilities, ensure that any user-supplied URLs are validated against a whitelist of allowed domains. Use Django's URLValidator for basic validation, and consider implementing more robust checks tailored to your application's logic. Additionally, limit outgoing requests to only necessary protocols and domains, and apply strict timeout and error handling to prevent misuse of the application's ability to make HTTP requests.

Symfony

In Symfony, to mitigate SSRF injection in headers, ensure that any user-supplied URLs are validated against a whitelist of allowed domains and schemes. Use Symfony's built-in validation constraints, such as 'Url' and 'Choice', to enforce this. Additionally, avoid directly passing user-controlled data to functions that perform HTTP requests. Implement service wrappers that sanitize and validate all input, and consider using a dedicated library to handle URL fetching that has built-in security features.

Spring_boot

In Spring Boot applications, to mitigate SSRF attacks, validate and sanitize all user-supplied URLs before using them to initiate a connection to a remote resource. Implement a whitelist of allowed domains and schemes, and reject any requests that do not match the criteria. Additionally, consider using Spring Security's built-in protections and avoid disclosing sensitive information through error messages.

Flask

To mitigate SSRF injection in headers within a Flask application, ensure that all user-supplied URLs are validated against a whitelist of allowed domains and schemes. Use a dedicated library or function to parse and sanitize URLs before using them in network requests. Additionally, consider implementing network-level restrictions to limit the range of accessible resources by the server, and avoid disclosing sensitive information through error messages.

Nuxt

In Nuxt.js, to mitigate SSRF injection in headers, ensure that all user-supplied URLs are validated against a whitelist of allowed domains and URL patterns. Implement server-side checks to sanitize and verify the legitimacy of URLs before using them in any HTTP requests. Additionally, consider using built-in Nuxt.js modules or third-party libraries designed to secure HTTP requests and prevent SSRF by default.

Fastapi

In FastAPI, to mitigate SSRF injection in headers, ensure that all user-supplied URLs are validated against a strict whitelist of allowed domains and schemes. Use built-in FastAPI dependencies to create reusable validators for URL inputs. Additionally, employ network-level security measures such as proper firewall configurations to restrict outbound traffic to trusted services only.

Configuration

Identifier: request_forgery/ssrf_header

Examples

Ignore this check

checks:
  request_forgery/ssrf_header:
    skip: true

Score

  • Escape Severity: LOW

Compliance

  • OWASP: API10:2023
  • pci: 6.5.1
  • gdpr: Article-32
  • soc2: CC1
  • psd2: Article-95
  • iso27001: A.14.2
  • nist: SP800-53
  • fedramp: AC-4

Classification

Score

  • CVSS_VECTOR: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
  • CVSS_SCORE: 7.3