Unsanitized user input in HTTP request (SSRF)

• Rule ID: javascript_express_server_side_request_forgery
• Languages: javascript
• Source: server_side_request_forgery.yml

Description

Incorporating unsanitized user input directly into URLs for data retrieval exposes your application to server-side request forgery (SSRF) attacks. This vulnerability arises when URLs include data provided by users without adequate validation or sanitization.

Remediations

• Do not directly use user input to construct URLs for backend requests. This approach can lead to SSRF vulnerabilities.

  axios.get(`https://${req.params.host}`); // unsafe

• Do validate or sanitize user input before using it in URLs. Prefer using a predefined list of allowed hosts and map user input to this list, ensuring only safe and expected URLs are constructed.

  var host = "default-api.com"
  if (req.params.host == "something-else") {
    host = "other-api.com";
  }
  
  axios.get(`https://${host}`);

References

• OWASP - Server-Side Request Forgery (SSRF) prevention cheat sheet

Associated CWE

• CWE-918: Server-Side Request Forgery (SSRF)

OWASP Top 10

• A10:2021 - Server-side Request Forgery (SSRF)

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=javascript_express_server_side_request_forgery

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=javascript_express_server_side_request_forgery