# Server-Side Request Forgery (SSRF) (CWE-918) The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. - Prevalence: 보통 3개 언어 지원 - Impact: 높음 4개의 높은 심각도 규칙 - Prevention: 문서화됨 4개의 수정 예시 **OWASP:** Server-Side Request Forgery (A10:2021-Server-Side Request Forgery) - #10 ## Description By providing URLs to unexpected hosts or ports, attackers can make it appear that the server is sending the request, possibly bypassing access controls such as firewalls. ## Prevention 4개의 Shoulder 탐지 규칙을 기반으로 한 Server-Side Request Forgery 예방 전략. ### Go Parse URL and validate host against domain allowlist ### JavaScript Validate URLs against an allowlist of permitted domains before fetching Validate URLs against domain allowlist before making requests ## Warning Signs - [HIGH] user input flowing to HTTP client requests, enabling Server-Side Request Forgery attacks - [HIGH] Server Action '...' has SSRF vulnerability: user input controls HTTP request URL - [HIGH] user-controlled input flowing into HTTP request URLs in Server Actions - [HIGH] user input flowing into HTTP request functions without URL validation - [HIGH] user input controlling URLs in HTTP requests, allowing requests to arbitrary destinations including ## Consequences - 애플리케이션 데이터 읽기 - 보호 메커니즘 우회 - 승인되지 않은 명령 실행 ## Mitigations - 허용된 대상의 허용 목록을 사용하세요 - 필요 없는 URL 스키마(file://, gopher://)는 비활성화하세요 - 네트워크 수준의 세분화(세그멘테이션)를 적용하세요 ## Detection - Total rules: 4 - Languages: go, javascript, typescript, python ## Rules by Language ### Javascript (2 rules) - **SSRF in Next.js Server Actions** [HIGH]: Detects user-controlled input flowing into HTTP request URLs in Server Actions. - Remediation: Validate and sanitize URLs before making HTTP requests. Use allowlists. See remediation section for examples. - **Server-Side Request Forgery via HTTP Requests** [HIGH]: Detects user input flowing into HTTP request functions without URL validation. - Remediation: Validate URLs against an allowlist of permitted domains before making requests. ```javascript const url = new URL(userInput); if (ALLOWED_DOMAINS.includes(url.hostname)) { axios.get(userInput); } ``` Learn more: https://shoulder.dev/learn/javascript/cwe-918/ssrf ### Typescript (2 rules) - **SSRF in Next.js Server Actions** [HIGH]: Detects user-controlled input flowing into HTTP request URLs in Server Actions. - Remediation: Validate and sanitize URLs before making HTTP requests. Use allowlists. See remediation section for examples. - **Server-Side Request Forgery via HTTP Requests** [HIGH]: Detects user input flowing into HTTP request functions without URL validation. - Remediation: Validate URLs against an allowlist of permitted domains before making requests. ```javascript const url = new URL(userInput); if (ALLOWED_DOMAINS.includes(url.hostname)) { axios.get(userInput); } ``` Learn more: https://shoulder.dev/learn/javascript/cwe-918/ssrf ### Go (1 rules) - **Server-Side Request Forgery (SSRF)** [HIGH]: Detects user input flowing to HTTP client requests, enabling Server-Side Request Forgery attacks. - Remediation: Validate URLs against an allowlist of permitted domains. ```go allowed := map[string]bool{"api.example.com": true} parsed, _ := url.Parse(targetURL) if !allowed[parsed.Host] { return errors.New("domain not allowed") } ``` Learn more: https://shoulder.dev/learn/go/cwe-918/ssrf ### Python (1 rules) - **Server-Side Request Forgery (SSRF)** [HIGH]: Detects user input controlling URLs in HTTP requests, allowing requests to arbitrary destinations including internal services and cloud metadata endpoints. - Remediation: Validate URLs against an allowlist of permitted domains. ```python from urllib.parse import urlparse ALLOWED_DOMAINS = {"api.github.com", "api.example.com"} parsed = urlparse(user_url) if parsed.hostname not in ALLOWED_DOMAINS: return "Invalid domain", 400 ``` Learn more: https://shoulder.dev/learn/python/cwe-918/ssrf