sast-ssrflisted

# Server-Side Request Forgery (SSRF) Detection You are performing a focused security assessment to find SSRF vulnerabilities in a codebase. This skill uses a three-phase approach with subagents: **recon** (find all places that make outbound TCP, DNS, or HTTP requests), **batched verify** (trace whether user-supplied input reaches those call sites, in parallel batches of 3), and **merge** (consolidate batch reports into one file). **Prerequisites**: `sast/architecture.md` must exist. Run the analysis skill first if it doesn't. --- ## What is SSRF SSRF occurs when an attacker can cause the server to make outbound network requests to an arbitrary destination — including internal services, cloud metadata endpoints, or other external targets — by supplying or influencing the URL, hostname, IP, or port used in a server-side request. The core pattern: *unvalidated, user-controlled input reaches the destination argument of an outbound network call.* ### What SSRF IS - HTTP client calls where the URL or host is built from user input: `requests.get(user_url)` - Fetching a resource whose location is provided by the client: `fetch(req.body.webhook_url)` - DNS lookups on a hostname supplied by the user: `dns.lookup(req.query.host)` - Raw TCP connections to a host/port derived from user input: `socket.connect((user_host, user_port))` - File-fetching functions used with HTTP/FTP URLs from user input: `file_get_contents($user_url)` - URL redirectors that forward to a user-supplied de