Partial SSRF
Description
Partial Server-Side Request Forgery occurs when the attacker can manipulate a request made by the server.
Remediation
Basic blacklisting and regular expressions are a bad approach to mitigating SSRF.
The correct ways to prevent SSRF are:
- Whitelisting and DNS resolution: whitelist the hostname (DNS name) or IP address that your application needs to access. (Best method to prevent SSRF))
- Response handling: To prevent response data from leaking to the attacker, you must ensure that the received response is as expected. Under no circumstances should the raw response body from the request sent by the server be delivered to the client.
- Disabling unused URL schemas: if your application only uses HTTP or HTTPS to make requests, allow only these URL schemas. Once unused URL schemas are disabled, the attacker will be unable to exploit the web application to make requests using potentially dangerous schemas such as
file:///,dict://,ftp://, andgopher://. - Authentication on internal services.
GraphQL Specific
Apollo
To mitigate Server-Side Request Forgery (SSRF) vulnerabilities in the Apollo framework engine, ensure that all user-supplied URLs are validated against a strict whitelist of allowed domains and protocols. Additionally, implement server-side checks to verify that the response received matches expected criteria before processing it. If possible, use a dedicated service for fetching external resources that can enforce access control and auditing. Limit the response size and timeout to minimize the impact of any potential SSRF attacks. Regularly review and update the whitelist to maintain a strong security posture.
Yoga
To mitigate Server-Side Request Forgery (SSRF) vulnerabilities in the Yoga framework engine, ensure that all user-supplied URLs are validated against a strict whitelist of allowed domains and protocols. Additionally, implement server-side checks to verify that the response from the external service is expected and benign. If possible, use a server-side proxy with a static IP to control outgoing traffic and monitor for any unusual patterns or requests. Always apply the principle of least privilege by restricting the URLs to which the application can send requests, and consider using an allowlist for URL schemas, ports, and methods if applicable.
Awsappsync
To mitigate Server-Side Request Forgery (SSRF) vulnerabilities in AWS AppSync, ensure that the service is configured to only allow access to trusted endpoints. Implement strict validation on user-supplied URLs, including schema validation to only permit https schemes. Use AWS IAM roles and policies to enforce least privilege access control, and regularly audit your AppSync resolvers and data sources for any overly permissive settings. Additionally, consider using VPC endpoints for services that support them to keep traffic within the AWS network.
Graphqlgo
To mitigate Partial Server-Side Request Forgery (SSRF) vulnerabilities in a GraphQL Go framework engine, validate and sanitize all user-supplied URL inputs to ensure they point to allowed destinations. Implement strict allowlists for external services that can be interacted with, and employ network-level controls to restrict outbound traffic to trusted endpoints. Additionally, consider using a dedicated SSRF prevention library or functionality within the framework, if available.
Graphqlruby
To mitigate Partial Server-Side Request Forgery (SSRF) vulnerabilities in a GraphQL Ruby framework engine, ensure that any URL inputs are validated against a strict whitelist of allowed domains and schemes. Additionally, employ server-side checks to verify that the resolved IP addresses of the URLs do not point to internal resources. Implement network-level restrictions to prevent the GraphQL server from making requests to internal infrastructure. Use the 'graphql-pro' gem which includes SSRF protection features, and regularly update all dependencies to incorporate security fixes.
Hasura
To mitigate Server-Side Request Forgery (SSRF) vulnerabilities in the Hasura framework, ensure that any user-supplied URLs are validated against a strict whitelist of allowed domains and protocols. Additionally, employ network-level controls to restrict the Hasura engine's ability to initiate requests to unintended internal services. Consider using a combination of URL parsing libraries to validate and sanitize input, and apply the principle of least privilege by limiting the outbound network capabilities of the server running Hasura.
REST Specific
Asp_net
In ASP.NET, mitigate partial SSRF vulnerabilities by validating and sanitizing all user inputs, enforcing strict URL schemas, using allowlists for allowable destinations, and employing least privilege principles for server requests. Additionally, consider implementing network-level restrictions and monitoring outbound traffic for unusual patterns.
Ruby_on_rails
In Ruby on Rails, mitigate partial SSRF by validating and sanitizing user input, enforcing strict URL schemas, using a whitelist for allowed domains, and employing the 'resolv-replace' library to prevent DNS rebinding attacks.
Next_js
To mitigate partial SSRF vulnerabilities in a Next.js application, validate and sanitize all user inputs rigorously. Implement strict allowlists for URLs and IP addresses that the server is permitted to interact with. Additionally, use built-in Next.js features like 'getServerSideProps' or 'getStaticProps' for data fetching, which abstract away direct HTTP requests and reduce the attack surface. Always keep Next.js and its dependencies up to date to benefit from the latest security patches.
Laravel
In Laravel, mitigate partial SSRF by validating and sanitizing all user inputs, enforcing strict URL schemas, using built-in HTTP client features to limit request destinations, and implementing access control lists for external services.
Express_js
To mitigate partial SSRF vulnerabilities in an Express.js application, validate and sanitize all user inputs rigorously. Ensure that any URLs or IP addresses supplied by users are checked against a whitelist of allowed destinations. Employ a library like validator to help with input validation. Additionally, configure the HTTP request library to avoid following redirects automatically and to have a strict timeout to prevent long-running requests. Use the principle of least privilege by restricting the server's outbound requests to the minimum necessary for functionality.
Django
In Django, mitigate partial SSRF vulnerabilities by validating and sanitizing all user-supplied URLs before using them in server-side requests. Employ Django's URLValidator for initial validation, ensure only allowed schemes (e.g., 'http', 'https') are used, and restrict target hosts to a predefined whitelist. Additionally, use the 'requests' library with caution, setting a timeout, and avoid sending any sensitive data as part of the request.
Symfony
In Symfony, to mitigate partial SSRF vulnerabilities, validate and sanitize all user inputs, especially URLs, before using them in server-side requests. Employ a whitelist approach to allow only trusted domains and protocols. Additionally, use Symfony's HttpClient component with caution, setting strict options and timeouts to prevent abuse.
Spring_boot
In Spring Boot, to mitigate partial SSRF vulnerabilities, validate and sanitize all user inputs, especially URL parameters. Implement strict input validation using a whitelist approach for URLs and schemes allowed. Additionally, configure the HttpClient to use a URL filter that only permits requests to known, safe domains. Avoid disclosing sensitive information in error messages and ensure that outgoing requests do not expose internal services or resources.
Flask
In the Flask framework, mitigate partial SSRF vulnerabilities by validating and sanitizing all user inputs, ensuring that URLs or IP addresses are from a whitelist of allowed destinations, and using a secure default configuration that restricts outgoing requests to untrusted services. Additionally, employ network-level controls to prevent unauthorized interactions with internal network resources.
Nuxt
In Nuxt.js, to mitigate partial SSRF vulnerabilities, validate and sanitize all user inputs, especially URL parameters, before using them in server-side requests. Implement strict input validation with a whitelist of allowed domains and protocols. Additionally, use network-level controls to restrict the server's ability to make outbound requests only to known, trusted services.
Fastapi
In FastAPI, to mitigate partial SSRF vulnerabilities, validate all URLs and hostname inputs against a whitelist of allowed destinations before making any outbound requests. Additionally, employ client-side libraries that offer safe request functions and avoid directly concatenating user input with request URLs.
Configuration
Identifier:
request_forgery/ssrf_partial
Options
- skip_objects : List of object that are to be skipped by the security test.
Examples
Ignore this check
checks:
request_forgery/ssrf_partial:
skip: true
Score
- Escape Severity: HIGH
Compliance
OWASP: API6:2023
pci: 6.5.9
gdpr: Article-32
soc2: CC1
psd2: Article-95
iso27001: A.14.2
nist: SP800-53
fedramp: AC-4
Classification
- CWE: 918
Score
- CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:H/RL:O/RC:C
- CVSS_SCORE: 6.2