ssrflisted

# SSRF Detection ## When to Use Audit webhook handlers, URL preview generators, import-from-URL features, image proxy endpoints, PDF generators that fetch remote resources, and any endpoint that makes HTTP requests based on user-supplied URLs. ## Process ### Step 1: Find HTTP Request Sinks ``` # JavaScript grep -rn "fetch(\|axios\|got(\|node-fetch\|http\.get\|https\.get\|request(" . grep -rn "urllib\|url\.parse\|new URL(" . # Python grep -rn "requests\.get\|requests\.post\|urllib\.request\|urlopen\|httpx" . # Go grep -rn "http\.Get\|http\.Post\|http\.NewRequest\|httpClient" . # Ruby grep -rn "Net::HTTP\|open-uri\|Faraday\|HTTParty\|RestClient" . ``` ### Step 2: Check If URL is User-Controlled Trace the URL parameter backwards: - Does it come from request parameters, body, headers? - Is it stored in database but originally user-supplied? - Can the user control the host/port/path/scheme? ### Step 3: Check URL Validation ``` grep -rn "isPrivate\|isInternal\|isLocalhost\|blocked\|allowlist\|blocklist" . grep -rn "127\.0\.0\.1\|0\.0\.0\.0\|169\.254\|10\.\|172\.16\|192\.168" . ``` ### Step 4: Test IP Validation Bypasses Common bypass techniques: - Decimal IP: `2130706433` = 127.0.0.1 - Hex IP: `0x7f000001` = 127.0.0.1 - Octal IP: `0177.0.0.1` = 127.0.0.1 - IPv6 mapped: `::ffff:127.0.0.1` - IPv6 localhost: `::1`, `0:0:0:0:0:0:0:1` - URL encoding: `http://127%2e0%2e0%2e1` - DNS rebinding: domain that resolves to 127.0.0.1 after initial check - Redirect following: allowe