保護DataHogo
Security Encyclopedia/OWASP API Top 10
highCWE-918API7:2023

Server-Side Request Forgery (SSRF) in API

The API fetches a URL provided by the user without validation, allowing attackers to probe internal services, cloud metadata endpoints, or private networks.

How It Works

SSRF occurs when an API accepts a user-supplied URL and makes a server-side HTTP request to it. Attackers exploit this to reach internal services that are not exposed to the internet, such as cloud metadata endpoints (169.254.169.254), internal databases, or admin panels. The server acts as a proxy, bypassing firewalls and network segmentation. In cloud environments, SSRF can leak IAM credentials, service account tokens, and infrastructure secrets from metadata APIs.

Vulnerable Code
app.post('/api/fetch-preview', async (req, res) => {
  const { url } = req.body;
  const response = await fetch(url);
  const data = await response.text();
  res.json({ preview: data });
});
Secure Code
import { isAllowedUrl } from './url-validator';

app.post('/api/fetch-preview', async (req, res) => {
  const { url } = req.body;
  if (!isAllowedUrl(url, { allowPrivate: false, protocols: ['https'] })) {
    return res.status(400).json({ error: 'URL not allowed' });
  }
  const response = await fetch(url, { redirect: 'error' });
  const data = await response.text();
  res.json({ preview: data.slice(0, 5000) });
});

Real-World Example

The 2019 Capital One breach exposed 106 million records. An attacker exploited an SSRF vulnerability in a WAF to access AWS metadata at 169.254.169.254, obtaining IAM role credentials that granted access to S3 buckets containing customer data.

How to Prevent It

  • Validate and allowlist URLs before making server-side requests
  • Block requests to private IP ranges and cloud metadata endpoints
  • Disable HTTP redirects or validate redirect targets
  • Use a URL parsing library to prevent bypass techniques like DNS rebinding

Affected Technologies

Node.jsPythonGoJavaPHPC#

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

Broken Object Level Authorization (BOLA)

high

API endpoints don't verify that the requesting user owns the resource they're accessing — allowing attackers to access other users' data by changing object IDs.

CWE-639API1:2023

Broken Authentication (API)

high

API authentication mechanisms are weak or improperly implemented — JWT without proper validation, tokens not in httpOnly cookies, or missing token expiration.

CWE-287API2:2023

Broken Object Property Level Authorization

medium

API allows users to read or modify object properties they shouldn't have access to — mass assignment, excessive data exposure, or missing field-level access control.

CWE-915API3:2023

Unrestricted Resource Consumption

medium

API endpoints without rate limiting, pagination, or resource limits — allowing attackers to exhaust server resources, rack up costs, or extract large datasets.

CWE-770API4:2023