# Server-Side Request Forgery

A **server-side request forgery** (SSRF) attack is when an attacker crafts a malicious HTTP request that triggers a further request from your server to a domain of their choosing. SSRF vulnerabilities can be used to probe your network or used to disguise denial-of-service attacks against third parties.

## Common Causes of SSRF

There are many reasons your web server might make outgoing HTTP requests, including:

* Calling a third-party API in response to a user action.
* Communicating with a *Single Sign-On* (SSO) provider.
* Implementing an image upload function that accepts URLs instead of files.
* Checking validation URLs – for example, hosted schema files referenced in XML documents.
* Accessing open-graph meta-data used in generating link previews.

In some of these scenarios, the domain of the URL will be taken from the HTTP request. This allows an attacker to trigger HTTP requests to arbitrary domains. Malicious users will try to use this in denial-of-service attacks against other targets (for which you will get blamed) and to probe internal IP addresses on your network that are not intended to be public.

## Mitigation

The easiest way to mitigate SSRF vulnerabilities is to never make outgoing HTTP requests to domain names drawn from an incoming HTTP request. Be wary of functions like `file_get_contents()` that accept file paths and URLs – if the file path comes from untrusted content, an attacker can trick the web application into performing unexpected network requests. If possible, you should disable functions that enable accessing URL objects like files by setting the `allow_url_fopen` flag to `0` in your `php.ini` file.

About ShiftLeft

ShiftLeft empowers developers and AppSec teams to dramatically reduce risk by quickly finding and fixing the vulnerabilities most likely to reach their applications and ignoring reported vulnerabilities that pose little risk. Industry-leading accuracy allows developers to focus on security fixes that matter and improve code velocity while enabling AppSec engineers to shift security left.

A unified code security platform, ShiftLeft CORE scans for attack context across custom code, APIs, OSS, containers, internal microservices, and first-party business logic by combining results of the company’s and Intelligent Software Composition Analysis (SCA). Using its unique graph database that combines code attributes and analyzes actual attack paths based on real application architecture, ShiftLeft then provides detailed guidance on risk remediation within existing development workflows and tooling. Teams that use ShiftLeft ship more secure code, faster. Backed by SYN Ventures, Bain Capital Ventures, Blackstone, Mayfield, Thomvest Ventures, and SineWave Ventures, ShiftLeft is based in Santa Clara, California. For information, visit: www.shiftleft.io.

Share

See for yourself – run a scan on your code right now