Server-Side Request Forgery (SSRF) (CWE-918)

Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

By providing URLs to unexpected hosts or ports, attackers can make it appear that the server is sending the request, possibly bypassing access controls such as firewalls.

普遍性

中

覆盖 3 种语言

影响

高

4 条严重级别为高的规则

预防

已记录

4 个修复示例

2 预防

如何修复此漏洞

基于 4 条 Shoulder 检测规则的 Server-Side Request Forgery 预防策略。

🐹 Go 查看全部 Go 详情 →

Server-Side Request Forgery (SSRF) HIGH

Parse URL and validate host against domain allowlist

+55 -11 go

  package main
  
  import (
      "io"
-     "net/http"
- )
- 
- func handler(w http.ResponseWriter, r *http.Request) {
-     targetURL := r.URL.Query().Get("url")
-     // Vulnerable: user-controlled URL
-     resp, err := http.Get(targetURL)
-     if err != nil {
-         http.Error(w, err.Error(), 500)
-         return
-     }
+     "net"
+     "net/http"
+     "net/url"
+ )
+ 
+ var allowedDomains = map[string]bool{
+     "api.example.com": true,
+     "cdn.example.com": true,
+ }
+ 
+ func isPrivateIP(ip net.IP) bool {
+     private := []string{
+         "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16",
+         "169.254.0.0/16", "127.0.0.0/8",
+     }
+     for _, cidr := range private {
+         _, network, _ := net.ParseCIDR(cidr)
+         if network.Contains(ip) {
+             return true
+         }
+     }
+     return false
+ }
+ 
+ func handler(w http.ResponseWriter, r *http.Request) {
+     targetURL := r.URL.Query().Get("url")
+ 
+     parsed, err := url.Parse(targetURL)
+     if err != nil {
+         http.Error(w, "Invalid URL", 400)
+         return
+     }
+ 
+     // Validate scheme
+     if parsed.Scheme != "https" {
+         http.Error(w, "HTTPS required", 400)
+         return
+     }
+ 
+     // Validate domain
+     if !allowedDomains[parsed.Host] {
+         http.Error(w, "Domain not allowed", 403)
+         return
+     }
+ 
+     // Block private IPs (DNS rebinding protection)
+     ips, _ := net.LookupIP(parsed.Hostname())
+     for _, ip := range ips {
+         if isPrivateIP(ip) {
+             http.Error(w, "Private IP not allowed", 403)
+             return
+         }
+     }
+ 
+     resp, _ := http.Get(targetURL)
      defer resp.Body.Close()
      io.Copy(w, resp.Body)
  }

🟨 JavaScript 查看全部 JavaScript 详情 →

SSRF in Next.js Server Actions HIGH

Validate URLs against an allowlist of permitted domains before fetching

+8 -4 javascript

  'use server'
- 
- export async function fetchData(url: string) {
-   const response = await fetch(url);
-   return await response.json();
+ const ALLOWED_DOMAINS = ['api.example.com', 'cdn.example.com'];
+ 
+ export async function fetchData(url: string) {
+   const parsed = new URL(url);
+   if (!ALLOWED_DOMAINS.includes(parsed.hostname)) {
+     throw new Error('URL not allowed');
+   }
+   return await fetch(url).then(r => r.json());
  }

Server-Side Request Forgery via HTTP Requests HIGH

Validate URLs against domain allowlist before making requests

+25 -5 javascript

  const http = require('http');
- 
- function fetchUrl(url) {
-   // Vulnerable: no URL validation
-   return new Promise((resolve, reject) => {
-     http.get(url, (res) => {
+ const https = require('https');
+ 
+ const ALLOWED_DOMAINS = ['api.example.com', 'cdn.example.com'];
+ 
+ function fetchUrl(url) {
+   const parsed = new URL(url);
+ 
+   // Validate protocol
+   if (!['http:', 'https:'].includes(parsed.protocol)) {
+     throw new Error('Invalid protocol');
+   }
+ 
+   // Validate against allowlist
+   if (!ALLOWED_DOMAINS.includes(parsed.hostname)) {
+     throw new Error('Domain not allowed');
+   }
+ 
+   // Block private/internal IPs
+   if (isPrivateIP(parsed.hostname)) {
+     throw new Error('Private IP not allowed');
+   }
+ 
+   const client = parsed.protocol === 'https:' ? https : http;
+   return new Promise((resolve, reject) => {
+     client.get(url, (res) => {
        let data = '';
        res.on('data', chunk => data += chunk);
        res.on('end', () => resolve(data));
      }).on('error', reject);
    });
  }

3 检测

查找代码中的漏洞

使用Shoulder扫描代码中的Server-Side Request Forgery (SSRF)模式。 4 规则.

终端

# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=918

# Or scan entire project
npx @shoulderdev/cli trust .

检测规则 (4)

🟨 Javascript 2 rules

SSRF in Next.js Server Actions HIGH

Detects user-controlled input flowing into HTTP request URLs in Server Actions.

Server-Side Request Forgery via HTTP Requests HIGH

Detects user input flowing into HTTP request functions without URL validation.

🔷 Typescript 2 rules

SSRF in Next.js Server Actions HIGH

Detects user-controlled input flowing into HTTP request URLs in Server Actions.

Server-Side Request Forgery via HTTP Requests HIGH

Detects user input flowing into HTTP request functions without URL validation.

🐹 Go 1 rules

Server-Side Request Forgery (SSRF) HIGH

Detects user input flowing to HTTP client requests, enabling Server-Side Request Forgery attacks.

🐍 Python 1 rules

Server-Side Request Forgery (SSRF) HIGH

Detects user input controlling URLs in HTTP requests, allowing requests to arbitrary destinations including internal services and cloud metadata endpoints.

4 警告信号

代码审查中需要关注的内容

这些模式表明潜在的Server-Side Request Forgery (SSRF)漏洞。在代码审查和安全审计中注意查找。

🟠

user input flowing to HTTP client requests, enabling Server-Side Request Forgery attacks go-ssrf

🟠

Server Action '...' has SSRF vulnerability: user input controls HTTP request URL javascript-nextjs-server-action-ssrf

🟠

user-controlled input flowing into HTTP request URLs in Server Actions javascript-nextjs-server-action-ssrf

🟠

user input flowing into HTTP request functions without URL validation javascript-ssrf

🟠

user input controlling URLs in HTTP requests, allowing requests to arbitrary destinations including python-ssrf

🔍

扫描你的代码库: Server-Side Request Forgery (SSRF)

Shoulder CLI 在整个代码库中找到易受攻击的模式。

npx shoulder trust 浏览所有规则