# Server-Side Request Forgery (SSRF) (CWE-918)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

**Stack:** Go

- Prevalence: Media 3 lenguajes cubiertos
- Impact: Alto 4 reglas de severidad alta
- Prevention: Documentada 4 ejemplos de corrección

**OWASP:** Server-Side Request Forgery (A10:2021-Server-Side Request Forgery) - #10

## Description

By providing URLs to unexpected hosts or ports, attackers can make it appear that the server is sending the request, possibly bypassing access controls such as firewalls.

## Prevention

Estrategias de prevención para Server-Side Request Forgery basadas en 1 reglas de detección de Shoulder.

### Go

Parse URL and validate host against domain allowlist

## Warning Signs

- [HIGH] user input flowing to HTTP client requests, enabling Server-Side Request Forgery attacks

## Consequences

- Leer datos de la aplicación
- Eludir mecanismo de protección
- Ejecutar comandos no autorizados

## Mitigations

- Usa una lista de permitidos de destinos permitidos
- Desactiva los esquemas de URL innecesarios (file://, gopher://)
- Aplica segmentación a nivel de red

## Detection

- Total rules: 4
- Languages: go, javascript, typescript, python

## Rules by Language

### Go (1 rules)

- **Server-Side Request Forgery (SSRF)** [HIGH]: Detects user input flowing to HTTP client requests, enabling Server-Side Request Forgery attacks.
  - Remediation: Validate URLs against an allowlist of permitted domains.

```go
allowed := map[string]bool{"api.example.com": true}
parsed, _ := url.Parse(targetURL)
if !allowed[parsed.Host] {
    return errors.New("domain not allowed")
}
```

Learn more: https://shoulder.dev/learn/go/cwe-918/ssrf