Web Application Vulnerabilities Runtime SCA Findings
Looking for the vulnerability index of Invicti's legacy products?
Invicti Enterprise Acunetix Standard & Premium
Server-Side Request Forgery (localhost) - Vulnerability Database

Server-Side Request Forgery (localhost)

Description

Server-Side Request Forgery (SSRF) is a vulnerability that allows an attacker to manipulate the server into making unintended HTTP requests to arbitrary destinations. The attacker can abuse the server's network position and trust relationships to access internal services, cloud metadata endpoints, or external systems that would normally be unreachable. In this case, the vulnerability was confirmed by successfully accessing localhost services on the target server, demonstrating the ability to interact with internal resources not exposed to the public internet.

Remediation

Implement multiple layers of defense to prevent SSRF attacks:

1. Input Validation and Sanitization:
• Use an allowlist approach to restrict URLs to known, safe domains and protocols
• Reject or strip out dangerous URL schemes (file://, gopher://, dict://, etc.)
• Validate and parse URLs before processing to prevent bypass techniques

// Example: URL validation with allowlist (Python)
from urllib.parse import urlparse

ALLOWED_DOMAINS = ['api.trusted-service.com', 'cdn.example.com']
ALLOWED_SCHEMES = ['https']

def validate_url(user_url):
    parsed = urlparse(user_url)
    
    if parsed.scheme not in ALLOWED_SCHEMES:
        raise ValueError('Invalid URL scheme')
    
    if parsed.hostname not in ALLOWED_DOMAINS:
        raise ValueError('Domain not allowed')
    
    return user_url

2. Network-Level Controls:
• Block outbound requests to private IP ranges (127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16)
• Implement egress filtering to restrict which external hosts the application can contact
• Use a dedicated service or proxy for external requests with strict firewall rules

3. Application-Level Protections:
• Disable HTTP redirects or validate redirect destinations against the same allowlist
• Implement DNS resolution checks to prevent DNS rebinding attacks
• Use separate credentials with minimal privileges for external service calls
• Remove or obfuscate error messages that reveal internal network information

4. Cloud-Specific Mitigations:
• Disable or restrict access to cloud metadata endpoints (e.g., 169.254.169.254)
• Use IMDSv2 on AWS which requires token-based authentication
• Implement network policies to prevent pods/containers from accessing metadata services

References

What is Server Side Request Forgery (SSRF)?
SSRF VS. BUSINESS-CRITICAL APPLICATIONS

Related Vulnerabilities

Edge Side Include injection High
Common tags: SSRF
Unvalidated JWT x5u parameter High
Common tags: SSRF
WordPress Plugin Essential Addons for Elementor Server-Side Request Forgery (2.9.8) High
Common tags: SSRF
WordPress Plugin Google Forms Server-Side Request Forgery (0.91) High
Common tags: SSRF
WordPress Plugin Nelio AB Testing Server-Side Request Forgery (4.5.10) High
Common tags: SSRF

Severity

High

Classification

CWE-918
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H

Tags

SSRF