ssrf

Server-Side Request Forgery (SSRF) vulnerabilities allow an attacker to trick a server-side application into sending HTTP requests to destination of their choice. Sometimes this can be used to attack other applications, but its most dangerous when used to send requests to internal applications, servers, and databases in a VPC that aren't expecting malicious requests.

When it can be avoided do not pass user-controlled values directly to the URL of a request. Additionally, server-side applications that do send HTTP requests should block requests to internal IP addresses - this can be done at the application, network, or container level.

Examples

Insecure Example

Python (Flask)

@app.route("/service_status/<service_name>")
def get_service_status(service_name):
    # user-controlled parameters can allow an attacker to
    # to send malicious requests to internal resources
    # or other external applications
    return requests.get(service_name)

Secure Example

Python (Flask)

@app.route("/service_status/<service_name>")
def get_service_status(service_name):
    # It is highly recommend to use a whitelist approach
    if service_name == "someservice":
        return requests.get("https://someservice.com/myrequest")
    elif service_name == "otherservice":
        return requests.get("https://otherservice.com/otherrequest")
    else:
        return requests.get("https://defaultservice.com/defaultrequest")