patternjavascriptCritical
SSRF Prevention: Validate and Block Internal Network Requests
Viewed 0 times
ssrfserver side request forgerymetadata endpointinternal networkdns rebindingip allowlist
Problem
Server-Side Request Forgery allows attackers to make the server issue HTTP requests to internal services (metadata APIs, databases, admin panels) by supplying crafted URLs.
Solution
Resolve the target hostname to an IP before fetching. Block private IP ranges (10.x, 172.16-31.x, 192.168.x, 127.x, 169.254.x) and cloud metadata endpoints.
Why
The server has network access to internal services that external clients cannot reach. SSRF proxies the attacker's requests through the server's internal network context.
Gotchas
- DNS rebinding can bypass IP checks if you resolve the hostname once and then fetch—resolve again just before connecting
- IPv6 private ranges (::1, fc00::/7) must also be blocked
- Cloud metadata endpoints (169.254.169.254 for AWS/GCP, 100.100.100.200 for Alibaba) are SSRF primary targets
- URL redirects in the fetched resource can redirect to internal addresses—disable follow-redirects or re-validate after each redirect
Code Snippets
SSRF mitigation by resolving and blocking private IPs
const dns = require('dns').promises;
const ipRangeCheck = require('ip-range-check'); // npm package
const BLOCKED_RANGES = [
'127.0.0.0/8', '10.0.0.0/8', '172.16.0.0/12',
'192.168.0.0/16', '169.254.0.0/16', '::1/128'
];
async function safeFetch(url) {
const parsed = new URL(url);
if (!['http:', 'https:'].includes(parsed.protocol)) {
throw new Error('Only HTTP/HTTPS allowed');
}
const addresses = await dns.resolve4(parsed.hostname);
for (const addr of addresses) {
if (ipRangeCheck(addr, BLOCKED_RANGES)) {
throw new Error('Requests to internal addresses are blocked');
}
}
// Proceed with the fetch
return fetch(url, { redirect: 'error' });
}Revisions (0)
No revisions yet.