TL;DR;
Check if a given URI-String contains a possible SSRF (Server-Side Request Forgery) attack. Zero dependencies!
https://www.npmjs.com/package/ssrfcheck
The project
I created this NodeJS Package that helps to verify if a string contains a potential SSRF Attack, it can be used programmatically or as a CLI tool.
What is a SSRF Attack?
"In a Server-Side Request Forgery (SSRF) attack, the attacker can abuse functionality on the server to read or update internal resources. The attacker can supply or modify a URL which the code running on the server will read or submit data to, and by carefully selecting the URLs, the attacker may be able to read server configuration such as AWS metadata, connect to internal services like http enabled databases or perform post requests towards internal services which are not intended to be exposed."
source and more information: https://owasp.org/www-community/attacks/Server_Side_Request_Forgery
How SSRF attacks may occur?
An SSRF attack may occur mainly if you have some kind of thirdy party configured information that provides URLs, domains or maybe URL parts for any kind of backend service of your application. As said before, this URL can be manipulated in many ways to force your service to sniff, retrieve private and sensitive information or scale access. For example: you provide an input to a common user to configure a postback URL on your service, well... you may be vulnerable.
Here are some SSRF payload examples:
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Request%20Forgery/README.md
The library
So, this library checks for potential SSRF attacks on a URL String. Zero dependencies.
You just import or require it and call a simple function:
const { isSSRFSafeURL } = require('ssrfcheck');
const url = 'https://localhost:8080/whatever';
const result = isSSRFSafeURL(url); // false
If you prefer, you can use it as a CLI by installing as a global dependency or just testing using NPX:
npx ssrfcheck <uri> <options>
E.g.:
npx ssrfcheck https://localhost:8080/whatever
What does this Lib check?
The library checks for complete URLs focusing on the protocol and domain structure and tells whether is a possible SSRF attack or not. This library does NOT checks for path traversal attacks or redirection attacks (server configuration). The checks are made in the following order:
- must contain a hostname
- must not be a login-url (e.g: https://user:pass@domain.com) (optionated)
- cannot contain RFC forbidden chars: "<>\^`{|} (optionated)
- cannot be a dot domain (e.g: https://./../.com) - commonly result of some trick
- cannot be localhost or loopback domain
- cannot be a private/reserved IP of any range
- IPs are allowed but can be optionally blocked
- checks for tricks: oct domain, decimal domains, special chars, schema tricks, etc..
If you wanna know more about test payloads and coverage, check the tests directory of the project. Test data lives in /tests/data folder.
Its Open Source
The project is open source, and PRs/Issues are welcome:
https://github.com/felippe-regazio/ssrfcheck
Top comments (1)
Helpful