Reverse proxy misrouting

Description

This vulnerability occurs when a reverse proxy or web application uses untrusted HTTP request values (such as headers like Host, X-Forwarded-Host, or URL parameters) to determine routing destinations without proper validation. Attackers can manipulate these values to cause the server to make requests to arbitrary internal or external systems, resulting in Server-Side Request Forgery (SSRF). This allows attackers to bypass firewall restrictions, access internal services, or interact with systems that should not be directly accessible from the internet.
Note: This check may produce false positives if the scanner is configured to use an HTTP proxy.

Remediation

Implement the following security controls to prevent reverse proxy misrouting and SSRF attacks:

1. Input Validation and Sanitization:
- Maintain an allowlist of permitted destination hosts and reject all requests to non-approved destinations
- Validate and sanitize all user-controllable input used in routing decisions, including HTTP headers (Host, X-Forwarded-Host, X-Original-URL) and URL parameters
- Reject requests containing private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), localhost addresses (127.0.0.0/8, ::1), and cloud metadata endpoints (169.254.169.254)

2. Secure Proxy Configuration:

// Example: Validate destination before proxying (Node.js/Express)
const ALLOWED_HOSTS = ['api.example.com', 'cdn.example.com'];

app.use('/proxy', (req, res) => {
  const targetHost = req.headers['x-target-host'];
  
  // Validate against allowlist
  if (!ALLOWED_HOSTS.includes(targetHost)) {
    return res.status(403).json({ error: 'Forbidden destination' });
  }
  
  // Additional validation: ensure no private IPs
  if (isPrivateIP(targetHost)) {
    return res.status(403).json({ error: 'Private IPs not allowed' });
  }
  
  // Proceed with proxying to validated host
  proxyRequest(targetHost, req, res);
});

References

Related Vulnerabilities