Unsanitized user input in HTTP request (SSRF)

• Rule ID: php_lang_http_url_using_user_input
• Languages: php
• Source: http_url_using_user_input.yml

Description

Your application is vulnerable to Server-Side Request Forgery (SSRF) attacks when it connects to URLs that include user-supplied data. This vulnerability occurs because attackers can manipulate these URLs to force your application to make unintended requests to internal or external resources.

Remediations

• Do not directly include user input in HTTP URLs. This practice can lead to SSRF vulnerabilities, where attackers exploit the application to send requests to unintended destinations.

  $curl = curl_init("https://{$_GET['host']}"); // unsafe

• Do validate or map user input against a predefined list of safe values before using it to form URLs. This approach ensures that the application only connects to intended and safe locations.

  if ($_GET["host"] == "option1") {
    $host = "api1.com";
  } else {
    $host = "api2.com";
  }
  
  $curl = curl_init("https://$host");

References

• OWASP - Server-Side Request Forgery (SSRF) prevention cheat sheet

Associated CWE

• CWE-918: Server-Side Request Forgery (SSRF)

OWASP Top 10

• A10:2021 - Server-side Request Forgery (SSRF)

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=php_lang_http_url_using_user_input

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=php_lang_http_url_using_user_input