Risk of server-side request forgery detected.

• Rule ID: javascript_express_server_side_request_forgery
• Languages: javascript
• Source: server_side_request_forgery.yml

Description

Using unsanitized URLs from the request object when retrieving data puts your application at risk of server-side request forgery (SSRF) attacks. This rule checks for URLs containing user-supplied data.

Remediations

❌ Avoid using user input in URLs:

axios.get(`https://${req.params.host}`)

✅ Use user input indirectly to form a URL:

var host = "default-api.com"
if req.params.host == "something-else" {
  host = "other-api.com"
}

axios.get(`https://${host}`)

Resources

• OWASP - Server-Side Request Forgery (SSRF) prevention cheat sheet

Associated CWE

• CWE-918: Server-Side Request Forgery (SSRF)

OWASP Top 10

• A010:2021 - Server-Side Request Forgery (SSRF)