In this document, you can find information and actions to take regarding the Server-Side Request Forgery vulnerability.
SSRF (Server-Side Request Forgery) flaws occur whenever a web application (server) obtains a remote resource without validating the URL, which is fully or partially provided by the user. It allows an attacker to make the application send a request to an unintended destination, even if it is protected by a firewall, VPN, or other network access control list.
Server-Side Request Forgery - OWASP Documentation
-
Using the FromURL method with user input as a parameter may result in the server making requests to unexpected destinations. It is recommended to:
-
Use fixed URLs, avoiding external resources if possible.
-
Avoid using the functionality.
-
Make strict validations on which data is used in the final URL.
-
Identify the SOAP web service invocation with a Location data type variable, particularly in the Host, BaseUrl, and Port properties.
-
Identify HttpClient data type variables and how their properties are loaded; in particular, look for the Host, BaseUrl, Port, ProxyServerHost, ProxyServerPort properties and check the parameters used in the Execute method.
-
General recommendations:
-
Use strictly fixed URLs.
-
Obtain the base URL from a trusted source.
-
Validate every input used in a URL:
-
Using regular expressions.
-
Using custom validation libraries, which are well-known.
-
Verify validated target domain/IP with a list of allowed targets by string-based and case-sensitive strict comparison.
-
Restrict which IPs the server can access (outbound traffic) at network level. This can be done through the operating system firewall or a separate firewall component on the network.