A10 — Server-Side Request Forgery Secure

1000-ft view: SSRF lets an attacker make your server fetch URLs it shouldn’t (e.g., cloud metadata, internal panels, non-HTTP ports). This secure page calls a hardened fetcher that: allowlists domains, blocks private CIDRs, re-resolves hostnames, enforces HTTPS, limits ports, and rejects weird schemes.

Attack 1 Attack 2 Attack 3 Attack 4 Attack 5

Attack 1 — Direct Internal IP

Block private CIDRs

Secure idea: refuse requests to private/loopback/link-local ranges (10/8, 172.16/12, 192.168/16, 127/8, 169.254/16, ::1, fc00::/7), even if the URL is http(s).

  1. Use the quick URL below or enter your own internal IP.
  2. Click Fetch (secure). The request should be blocked.

Attack 2 — Hostname Resolves to Private IP

Re-resolve & verify

Secure idea: resolve the host to an IP at request time and enforce the private-CIDR block on the final address (protects against DNS rebinding/hosts-file tricks).

  1. Quick demo uses http://localhost/… which resolves to 127.0.0.1.
  2. Click Fetch (secure). The fetcher re-resolves and blocks.

Attack 3 — Open Redirect → Internal

Validate final hop

Secure idea: either don’t follow redirects or, if you must, re-validate the destination after each hop (scheme/host/IP/port).

  1. Use the prefilled URL that points to our redirector.php which forwards to 127.0.0.1.
  2. Click Fetch (secure). The final destination should be blocked.

Attack 4 — Non-HTTP & Port Rules

restrict to 443 (or 80/443)

Secure idea: your feature likely needs HTTPS:443 only. Disallow raw sockets, FTP, Gopher, and non-standard ports (e.g., 22, 25, 3306).

  1. Probe a port (e.g., 127.0.0.1:22). The secure probe should refuse it.
  2. Try 443 to see the allowed path.

Attack 5 — Scheme Abuse & IPv6 Tricks

strict URL parser

Secure idea: accept only normalized https:// URLs with a hostname that passes allowlist + DNS/IP checks. Reject file://, gopher://, ftp://, IPv6 localhost http://[::1]/, mixed-encoded hosts, and userinfo tricks.

  1. Try a weird URL (buttons below prefill examples).
  2. Submit via the secure fetcher — it should reject with a clear reason.