# Server-Side Request Forgery (SSRF) (CWE-918)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

**Stack:** Go

- Prevalence: 中 覆盖 3 种语言
- Impact: 高 4 条严重级别为高的规则
- Prevention: 已记录 4 个修复示例

**OWASP:** Server-Side Request Forgery (A10:2021-Server-Side Request Forgery) - #10

## Description

By providing URLs to unexpected hosts or ports, attackers can make it appear that the server is sending the request, possibly bypassing access controls such as firewalls.

## Prevention

基于 1 条 Shoulder 检测规则的 Server-Side Request Forgery 预防策略。

### Go

Parse URL and validate host against domain allowlist

## Warning Signs

- [HIGH] user input flowing to HTTP client requests, enabling Server-Side Request Forgery attacks

## Consequences

- 读取应用程序数据
- 绕过保护机制
- 执行未授权命令

## Mitigations

- 对允许的目的地使用允许列表
- 禁用不必要的 URL 协议(file://、gopher://)
- 采用网络层级的分段隔离

## Detection

- Total rules: 4
- Languages: go, javascript, typescript, python

## Rules by Language

### Go (1 rules)

- **Server-Side Request Forgery (SSRF)** [HIGH]: Detects user input flowing to HTTP client requests, enabling Server-Side Request Forgery attacks.
  - Remediation: Validate URLs against an allowlist of permitted domains.

```go
allowed := map[string]bool{"api.example.com": true}
parsed, _ := url.Parse(targetURL)
if !allowed[parsed.Host] {
    return errors.New("domain not allowed")
}
```

Learn more: https://shoulder.dev/learn/go/cwe-918/ssrf