# Server-Side Request Forgery (SSRF) (CWE-918)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

**Stack:** Go

- Prevalence: 中 3 言語をカバー
- Impact: ハイ 4 件の重大度ハイのルール
- Prevention: 文書化済み 4 件の修正例

**OWASP:** Server-Side Request Forgery (A10:2021-Server-Side Request Forgery) - #10

## Description

By providing URLs to unexpected hosts or ports, attackers can make it appear that the server is sending the request, possibly bypassing access controls such as firewalls.

## Prevention

1 件の Shoulder 検出ルールに基づく Server-Side Request Forgery の予防策。

### Go

Parse URL and validate host against domain allowlist

## Warning Signs

- [HIGH] user input flowing to HTTP client requests, enabling Server-Side Request Forgery attacks

## Consequences

- アプリケーションデータの読み取り
- 保護メカニズムの回避
- 未承認コマンドの実行

## Mitigations

- 許可された宛先の許可リストを使用する
- 不要な URL スキーム (file://、gopher:// など) を無効化する
- ネットワークレベルのセグメンテーションを使用する

## Detection

- Total rules: 4
- Languages: go, javascript, typescript, python

## Rules by Language

### Go (1 rules)

- **Server-Side Request Forgery (SSRF)** [HIGH]: Detects user input flowing to HTTP client requests, enabling Server-Side Request Forgery attacks.
  - Remediation: Validate URLs against an allowlist of permitted domains.

```go
allowed := map[string]bool{"api.example.com": true}
parsed, _ := url.Parse(targetURL)
if !allowed[parsed.Host] {
    return errors.New("domain not allowed")
}
```

Learn more: https://shoulder.dev/learn/go/cwe-918/ssrf